DHS, FBI Issue Cyber Attack Alert

The Department of Homeland Security (DHS) and the FBI haves issued an alert  on a threat involving an “advanced persistent threat (APT)…targeting government entities and organizations in the energy, nuclear, water, aviation, and critical manufacturing sectors. Working with U.S. and international partners, DHS and FBI identified victims in these sectors. “

According to DHS, the threat involves “a multi-stage intrusion campaign by threat actors targeting low security and small networks to gain access and move laterally to networks of major, high value asset owners within the energy sector. Based on malware analysis … DHS has confidence that this campaign is still ongoing, and threat actors are actively pursuing their ultimate objectives over a long-term campaign.”

The alert reports that since at least May 2017, threat actors have targeted government entities and the energy, water, aviation, nuclear, and critical manufacturing sectors, and, in some cases, have leveraged their capabilities to compromise victims’ networks. Historically, cyber threat actors have targeted the energy sector with various results, ranging from cyber espionage to the ability to disrupt energy systems in the event of a hostile conflict. Historically, threat actors have also targeted other critical infrastructure sectors with similar campaigns.”

The analysis identifies distinct indicators and behaviors related to this activity.

This campaign comprises two distinct categories of victims: staging and intended targets. The initial victims are peripheral organizations such as trusted third party (TTPs) suppliers with less secure networks. The threat actor uses the staging targets’ networks as pivot points and malware repositories when targeting their final intended victims. The ultimate objective of the cyber threat actors is to compromise organizational networks, which are referred throughout this alert as “intended target.”

The threat actors in this campaign employed a variety of third parties, including:

  • open-source reconnaissance,
  • spear-phishing emails (from compromised legitimate accounts),
  • watering-hole domains,
  • host-based exploitation,
  • industrial control system (ICS) infrastructure targeting, and
  • ongoing credential gathering.

Writing for the website InfoSecurity, Tara Seals reports that “Industrial control systems (ICS) and critical infrastructure are common targets for cybercrime, with almost 40% of them facing a cyber-attack at some point in the second half of last year. According to Kaspersky Lab ICS research, the percentage of industrial computers under attack grew from 17% in July 2016 to more than 24% in December 2016. Every fourth targeted-attack detected by Kaspersky Lab in 2016 was aimed at industrial targets. The top three sources of infection were the internet, removable storage devices, and malicious email attachments and scripts embedded in the body of emails.”

The threat has been escalating for several years. Forbes’ Michael Assante disclosed in 2014 that “America’s critical infrastructure—the utilities, refineries, military defense systems, water treatment plants and other facilities on which we depend every day—has become its soft underbelly, the place where we are now most vulnerable to attack. Over the past 25 years, hundreds of thousands of analog controls in these facilities have been replaced with digital systems. Digital controls provide facility operators and managers with remote visibility and control over every aspect of their operations, including the flows and pressures in refineries, the generation and transmission of power in the electrical grid, and the temperatures in nuclear cooling towers. In doing so, they have made industrial facilities more efficient and more productive. But the same connectivity that managers use to collect data and control devices allows cyber attackers to get into control system networks to steal sensitive information, disrupt processes, and cause damage to equipment. Hackers, including those in China, Russia and the Middle East, have taken notice. While early control system breaches were random, accidental infections, industrial control systems today have become the object of targeted attacks by skilled and persistent adversaries.”

Frank Vernuccio serves as editor-in-chief of the New York Analysis of Policy and Government.

Print Friendly
Share this Article: