The U.S. government has released an important cybersecurity alert that confirms Russian government cyberattacks are targeting energy and other critical infrastructure sectors in the United States.
While there has recently been a significant rise in cyberattacks and threats in the critical infrastructure industries, up to now we’ve only been able to speculate on who the actors are, or what their motives may be. In this case the threat actor and their strategic intent have been clearly confirmed within this U.S. Computer Emergency Readiness Team (US-CERT) alert, something the U.S. government rarely does publicly.
The US-CERT alert provides descriptions of each stage of the attack, detailed indicators of compromise (IOCs), and a long list of detection and prevention measures. Many of the attack tactics are like Dragonfly 2.0, so much so that one might call this an expanded playbook for Dragonfly. Here we will examine the details of the US-CERT alert and offer clear steps that critical infrastructure organizations can take to protect themselves in the future.
Multi-Stage Campaigns Provide Opportunities for Early Detection
The US-CERT alert characterizes this attack as a multi-stage cyber intrusion campaign where Russian cyber actors conducted spear phishing to gain remote access into targeted industrial networks. After obtaining access, the threat vectors conducted network reconnaissance, moved laterally, and collected information pertaining to Industrial Control Systems (ICS).
This pattern of behavior is typical of APTs (Advanced Persistent Threat). APTs occur over an extended period of time, meaning there is an opportunity to detect and stop them before damage is done. With the right technology monitoring the industrial network, it is much harder for the APT to go unobserved before their final attack.
For example, the Russian cyberattacks started by infecting staging targets, which are peripheral organizations such as trusted third-party suppliers, as pivot points for attacking the final intended targets.
The attackers in this case used a multitude of tactics involving information relevant to industrial control professionals for initial infection of the staging targets.
- Altering trade publication websites, indicating inadequate security practices
- Sending emails containing resumes for ICS personnel as infected Microsoft Word attachments
- Analyzing publicly available photos that inadvertently contained information about industrial systems
The credentials of staging targets’ staff were in turn used to send spear phishing emails to the staff of the intended targets. They received malicious .docx files, which communicated with a command and control (C2) server to steal their credentials.
The SMB (Server Message Block) network protocol was used throughout the spear phishing phases to communicate with external servers, as was described for the Dragonfly 2.0 attacks. This is a distinctive tactic. SMB is usually only used to communicate within LANs, not for outbound communications. Now that this is known, asset owners should ensure their firewalls are locked down for outbound service restrictions.
The credentials of the intended targets were used to access victim’s networks. From there, the malware established multiple local administrator accounts, each with a specific purpose. The goals ranged from creation of additional accounts to clean-up activity.
Next, tools were downloaded from a remote server, which manipulated Microsoft Windows’ shortcut files and registries to gather and store user credentials. They also used the infrastructure of staging targets to connect to intended targets using the stolen credentials and remote access services.
An ICS reconnaissance phase followed, which included tactics like:
- Using batch scripts to enumerate the industrial control network
- Using scheduled tasks and a screenshot utility to capture the screens of systems across the network
- Using text files to hold lists of host information
- Accessing computers on the corporate network to take data output about control and SCADA systems, including ICS vendor names and reference documents
- Gathering profile and configuration information for ICS systems
The threat actors also conducted activity to hide their tracks, such as clearing logs and removing malware applications, registry keys and screen captures.
While long on details about the infection and reconnaissance phases of the Russian cyberattacks, the US-CERT advisory is notably lacking in any details about what equipment was targeted and what disruption was intended.
The goal of the advisory is to provide the intended targets, which in this case are critical infrastructure systems, with a wide set of clues for determining if your facility is infected. If so, you need to eradicate the infection and report it to authorities.
What to Do Next
The list of detection and prevention measures provided in US-CERT alert (TA18-074A) is extensive. Anyone glancing at the list will realize it will take a lot of manpower and focus to do all the log and file checking, as well as the security improvements that are recommended.
A key technique used to accomplish this type of monitoring is hybrid threat detection. This is the use of signatures plus behavior-based anomaly detection to identify threats. The results are correlated with each other and with operational context, providing rapid insight into what is happening, thereby reducing mitigation time.
YaraRules is a signature approach that consists of a library of advanced scripts that check for the presence of malware IOCs. They aggregate checking for multiple IOCs for a malware, reducing manual threat detection work. Developed by an open community of global security researchers, the YaraRules library innovates as fast as the collective body of knowledge. YaraRules exist today for Dragonfly 2.0, and good ICS monitoring solutions include them.
The behavior-based anomaly detection approach is relevant in the case of the Russian cyberattacks as it would detect unusual behavior such as:
- Improper/new outbound connections, like an external command and control server using the SMB protocol
- New users sending traffic over the network
- Unusual traffic patterns
With hybrid threat detection, results are correlated with each other and with operational context, providing rapid insight into what is happening, thereby reducing mitigation time.
If you are starting to check your system for evidence of the Russian cyberattacks, extensive log checking is necessary, as identified in the US-CERT alert.
To help you efficiently deal with the risk level and workload associated with this alert, consider a real-time cybersecurity and operational visibility solution with hybrid threat detection to automatically handle a great deal of the work.
Whenever the government puts out a warning, organizations should take note and prioritize their cybersecurity defenses. Especially for attacks on critical infrastructure, it’s known that nation-state threat actors have been infecting and doing reconnaissance on systems such as the power grid for a number of years and the recent US-CERT warning from last week clearly confirms this.
Here are prescriptive recommendations of steps to take following a US-CERT Alert:
- Asset owners should set their firewall policies to restrict outbound communication services. Block SMB as an allowed outbound communication protocol.
- Asset owners should ensure passwords are complex and long. Try to use two-factor authentications whenever possible.
- Direct people to change passwords, especially passwords related to critical systems and administrator passwords.
- Communicate to staff the seriousness of the situation, asking everyone to be on guard for suspicious emails, activities or people at facilities.
- Have key staff available and on standby emergency mode.
- Review your incident response and outage plans.
- Review all administrator accounts. Identify and disable unauthorized ones.
- Make sure that physical defenses are high. If there are hardware keys to prevent programming of ICS systems, they should be checked and not be left in program mode.
- Prioritize checking networks for anomalous behavior and Indicators of Compromise (IOCs). Fortunately, there is technology available for passive network monitoring that can be rapidly deployed and that can automatically and quickly check for IOCs.
- Eradicate IOCs from networks.
- Harden firewall rules, restricting both inbound and outbound communication between networks and segments within the industrial networks. Includes restricting outbound protocols to a minimum set which excludes SMB.
- Implement real-time cybersecurity and operational visibility solutions that will help provide early warning of APTs and allow action to be taken to eradicate infections before they cause damage.
- Implement real-time monitoring and alert correlation to reduce the workload involved in checking for the presence of IOCs.
- For industrial companies, you should only publicly disclose the minimum information required in each situation.
- Industry website owners should ensure their systems are protected with strong authentication requirements and staff are trained on cyber social engineering risks.
The Threat to Critical Infrastructure is Here to Stay
This US-CERT alert is a milestone. It makes it perfectly clear that the U.S. infrastructure and critical manufacturing sectors, and likely the same sectors in other countries, are under high vulnerability for Russian attacks.
Not only will it happen again, but chances are high that the next attack is already underway and we just haven’t heard about it yet. Cyber threats to national critical infrastructure are a reality that most likely will never go away. With more unprotected devices making their way into operational networks, and with ransomware, hacktivism and nation-state attacks on the rise, owners of critical infrastructure can no longer afford to gamble with weaknesses in ICS security.
Fortunately, CISOs are taking notice, security budgets are growing, and a new generation of ICS security solutions is available to assist. These advances in technology are making it easier to reduce risks and improve resilience.