DHS and the FBI have issued a joint technical alert to warn that Russian cyber hackers, including the DragonFly group, are still targeting U.S. critical infrastructure.
The alert states that cyber actors have been targeting U.S. energy, nuclear, commercial facilities, water, aviation, and critical manufacturing sectors since at least 2016.
Dragonfly was linked to attacks on Western energy firms in September by Symantec. DHS and the FBI say that the ultimate objective is to compromise organizational networks using a variety of methods including spear-phishing campaigns and host-based exploitation.
The alert says that threat actors appear to have deliberately chosen the organizations they attacked and sought information on network and organizational design and control system capabilities to launch targeted spear phishing attempts. Analysis also revealed that the threat actors used compromised staging targets to download the source code for several intended targets’ websites, and attempted to remotely access infrastructure such as corporate web-based email and virtual private network (VPN) connections.
Weaponization was achieved through spear phishing email TTP’s, where the threat actors used email attachments to leverage legitimate Microsoft Office functions for retrieving a document from a remote server using the Server Message Block (SMB) protocol and use of watering hole domains where threat actors compromised the infrastructure of trusted organizations to reach intended targets.
The alert includes full details of all the attacking methods detected, and detection and prevention measures for users and administrators.
DHS encourages recipients who identify the use of tools or techniques discussed in this document to report information to DHS or law enforcement immediately.
Full details of the alert can be found here.