The U.S. Department of Homeland Security (DHS) and Federal Bureau of Investigation (FBI) have jointly released an alert warning of an advanced persistent threat (APT) campaign specifically targeting government entities and organizations in the energy, nuclear, water, aviation and critical manufacturing sectors.
According to the alert, the attackers are targeting low-security networks at third-party suppliers, with the aim of gaining access and moving laterally into the networks of major targets in the energy sector.
“Based on malware analysis and observed [indicators of compromise], DHS has confidence that this campaign is still ongoing, and threat actors are actively pursuing their ultimate objectives over a long-term campaign,” the alert states.
The attackers appear to be using company’s public-facing websites, which sometimes contain operationally sensitive information, to collect data for spear phishing attacks. “As an example, the threat actors downloaded a small photo from a publicly accessible human resources page,” the report states. “The image, when expanded, was a high-resolution photo that displayed control systems equipment models and status information in the background.”
After compromising a third-party supplier, the attackers leverage it to develop watering holes designed to steal victims’ login credentials at target networks. “Although these watering holes may host legitimate content by reputable organizations, the threat actors have altered them to contain and reference malicious content,” the alert states. “Approximately half of the known watering holes are trade publications and information websites related to process control, ICS, or critical infrastructure.”
Once the target networks are accessed, the attackers conduct reconnaissance operations. “Specifically, the threat actors focused on identifying and browsing file servers within the intended victim’s network,” the alert states. “The threat actors viewed files pertaining to ICS or Supervisory Control and Data Acquisition (SCADA) systems.”
In one case, the alert notes, the attackers accessed workstations and servers on a network containing data from control systems at energy generation facilities.
Beyond the Perimeter
Virsec Systems CEO Atiq Raza told eSecurity Planet that the attack methodology described in the alert fits an increasingly common pattern. “Rather than directly attacking high security networks, hackers are doing careful reconnaissance of connected third parties, staging servers or watering holes for insiders,” he said. “Once hackers steal credentials, or find a less secure backdoor, they can quickly pivot to more secure servers, bypassing traditional network perimeter security.”
“IT security needs to assume the perimeter is porous and focus more directly on guarding sensitive applications and data,” Raza added.
Paul Edon, international services director at Tripwire, said the attacks should serve as a reminder that many industrial control systems are now connected to corporate and business networks, and are vulnerable to online compromise as a result.
“There is no dispute that connectivity provides many business advantages, such as centralized management and control, remote engineering access, and resource consolidation,” Edon said. “However, it’s important to remember that it also brings with it a large number of additional risks, mainly increased attack vectors, exposure of inherently insecure and sometimes obsolete IT systems, and the opportunity for attackers to exploit vulnerabilities that may have been around for a decade or more but for various valid reasons have not bee patched.”
“It is incumbent on those responsible to carry out detailed risk evaluations and to identify and implement the necessary security solutions to ensure the most effective security measures are applied,” Edon added. “Otherwise, there will be a major breach, and regardless of intention, we will experience an environmental disaster that could include a significant loss of life.”