chungking - Fotolia
Advanced persistent threats (APTs) are targeting government entities and organisations in the energy, nuclear, water, aviation and critical manufacturing sectors, according to a US government report.
The report, issued by the US Department of Homeland Security (DHS) and the Federal Bureau of Investigation (FBI) contains indicators of compromise (IOCs) and technical details on the tactics, techniques, and procedures (TTPs) used by APT actors on compromised victims’ networks.
Cyber attacks on critical national infrastructure (CNI) are a concern for most governments, and in August 2017 the UK government announced it was considering the same hefty fines for CNI providers with poor cyber security.
Providers of essential services who fail to implement effective cyber security measures could be fined as much as £17m or 4% of global turnover under measures being considered by the UK government.
The infrastructure security plans are being considered as part of a consultation launched on 8 August 2017 by the Department for Digital, Culture, Media and Sport (DCMS) to decide how to implement the European Union’s (EU’s) Network and Information Systems (NIS) Directive from May 2018.
In June 2017, a report by security certification body Crest revealed that a lack of standards-based technical security testing is putting industrial control environments and critical national infrastructure at risk of cyber attack.
According to the joint DHS/FBI report, the APT activity appears to be a multi-stage intrusion campaign by threat actors targeting low security and small networks to gain access and move laterally to networks of major, high value asset owners within the energy sector.
Read more about ICS security
- Vulnerabilities in industrial control systems commonly used by suppliers of critical national infrastructure are potentially the biggest threats to UK cyber security, according to a cyber defence expert.
- Organisations should mitigate six key vulnerabilities in industrial control systems to reduce the risk of cyber attack, warns security firm FireEye.
- Targeted attacks on industrial control systems are the biggest threat to critical national infrastructure, says Kaspersky Lab.
- Hackers have been penetrating industrial control systems for at least a decade for extortion, yet little is known about how they gain access.
Based on malware analysis and observed IOCs, the report said DHS believes the campaign, which began in May 2017, is still ongoing, and threat actors are actively pursuing their ultimate objectives over a long-term campaign.
IOCs indicate the Dragonfly hacking group, which has been linked to attacks targeting energy firms in Europe, the US and Canada, may be responsible for the campaign.
The report is aimed at educating network defenders and enabling them to identify and reduce exposure to malicious activity.
This campaign, the report said, comprises two distinct categories of victims: staging and intended targets. The initial victims are peripheral organisations such as trusted third party suppliers with less secure networks.
The threat actor uses the staging targets’ networks as pivot points and malware repositories when targeting their final intended victims
The threat actors in this campaign employed a variety of TTPs, including:
- Open-source reconnaissance, which is gathering information posted on company-controlled websites.
- Spear-phishing emails from compromised legitimate accounts with malicious attachments.
- Watering-hole attacks, which involves compromising the infrastructure of trusted organisations and posting malicious content to reach intended targets.
- Host-based exploitation.
- Industrial control system (ICS) infrastructure targeting.
- Ongoing credential gathering.
After achieving access to staging targets, the report said the threat actors installed tools to carry out their mission.
On one occasion, threat actors installed the free version of Forticlient, which was presumably used as a VPN client for intended targets, and consistent with the goal of credential harvesting, the threat actor was observed dropping and executing open source and free tools such as Hydra, SecretsDump, and CrackMapExec.
The threat actors achieved persistence through manipulating .lnk files to repeatedly gather user credentials. Default Windows functionality enables icons to be loaded from a local Windows repository.
The threat actors exploited this built-in Windows functionality by setting the icon path to their remote controlled server. When the user browses to the directory, Windows attempts to load the icon and initiate an SMB (server message block protocol) authentication session. During this process, the active user’s credentials are passed through the attempted SMB connection.
The threat actors used this tactic in both virtual desktop infrastructure (VDI) and traditional environments, the report said.
The threat actors commonly use web shells to compromise publically available servers to gain a foothold into internal networks. This activity has been observed on both web and email servers. The threat actors then establish an encrypted connection over port 443 to the web shell. Once connected, the threat actors download additional malicious files from the threat actors’ servers to the publically available server.
Upon gaining access to intended victims, the threat actors conducted reconnaissance operations within the network. Specifically, the threat actors focused on identifying and browsing file servers within the intended victim’s network. The threat actors viewed files pertaining to ICS (industrial control systems) or supervisory control and data acquisition (Scada) systems.
Industrial control systems
A successful attack on critical sectors that rely on industrial control systems (ICS), could have potentially catastrophic human and economic effects across all sectors, according to Joel Brenner, senior research fellow at the Massachusetts Institute of Technology (MIT).
“The capacity to undertake these attacks is now in the hands of criminal organisations as well as nation states,” he told the CyberSec European Cybersecurity Forum in Krakow.
“Although there is a certain amount of deterrence that affects nation states from doing these things, that deterrence does not work against criminal organisations,” said Brenner, a former inspector general at the US National Security Agency (NSA).
General best practice recommendations in the DHS/FBI report include:
- Prevent external communication of all versions of SMB and related protocols at the network boundary by blocking TCP ports 139 and 445 with related UDP port 137.
- Block the Web-based Distributed Authoring and Versioning (WebDAV) protocol on border gateway devices on the network.
- Monitor VPN logs for abnormal activity.
- Deploy web and email filters on the network.
- Segment any critical networks or control systems from business systems and networks.
- Ensure adequate logging and visibility on ingress and egress points.
- Ensure the use of PowerShell version 5, with enhanced logging enabled.
- Implement the prevention, detection, and mitigation strategies.
- Establish a training mechanism to inform users on proper email and web usage, and provide clear instructions on how to report unusual or suspicious emails.
- Implement application directory whitelisting.
- Block RDP connections originating from untrusted external addresses.
- Store system logs of mission critical systems for at least one year.
- Ensure applications are configured to log the proper level of detail for an incident response investigation.
- Establish least-privilege controls.
- Reduce the number of Active Directory domain and enterprise administrator accounts.
- Reset all user, administrator, and service account credential and require complex passwords for all users.
- Ensure that accounts for network administration do not have external connectivity.
- Ensure that network administrators use non-privileged accounts for email and Internet access.
- Use two-factor authentication for all authentication.
- Implement a process for logging and auditing activities conducted by privileged accounts.
- Enable logging and alerting on privilege escalations and role changes.
- Periodically conduct searches of publically available information to ensure no sensitive information has been disclosed.
- Create and participate in information sharing programs.