Cyber Espionage Group Targets Critical Infrastructure Using Old Hacking Tactics

Cyber Espionage Group Targets Critical Infrastructure Using Old Hacking Tactics

Cyberattacks against critical infrastructure – energy, nuclear, water, aviation and critical manufacturing sectors – in the US have been going on since May 2017, the US Computer Emergency Readiness Team (US-CERT) said in a rare technical alert notice.

Symantec, on the other hand, reported that cyberattacks against the energy infrastructure in some European countries and in the US have been underway since December 2015. Cisco researchers, meanwhile, reported that since at least May 2017, they have observed attackers targeting critical infrastructure and energy companies around the world, in particular, Europe and the US.

While US-CERT and Cisco didn’t name a particular group responsible for the ongoing cyberattacks against critical infrastructure, Symantec identifies the threat actors collectively known as “Dragonfly” as the group behind the cyberattacks against the energy sector. Symantec researchers said the group has been in operation since at least 2011.

Symantec dubbed Dragonfly’s latest campaign against the energy sector as “Dragonfly 2.0”, a campaign that started in late 2015 the most notable cyberattack of which was the attack against Ukraine’s power system in 2015 and 2016, resulting in power outages affecting hundreds of thousands of residents.

The US-CERT technical alert – the result of analytic efforts between the Department of Homeland Security (DHS) and the Federal Bureau of Investigation (FBI), and the reports from Symantec and Cisco showed that old hacking tactics have been employed by the threat group.

Methods of Cyber Attacks

1. Malicious Emails

According to US-CERT, the threat group used malicious emails or phishing emails with the subject line such as “AGREEMENT & Confidential”. The group also used malicious Microsoft Word attachments that appear to be legitimate invitations, policy documents or curricula vitae for industrial control systems personnel to lure users to open the attachment, US-CERT said.

According to Symantec, one example of the malicious email campaign used by the threat group were emails disguised as an invitation to a New Year’s Eve party to targets in the energy sector in December 2015.

Cisco researchers identified an email-based attack called "Phishery", targeting the energy sector, including nuclear power. Phishery became publicly available on GitHub in late 2016

“Typically, malicious Word documents that are sent as attachments to phishing emails will themselves contain a script or macro that executes malicious code,” Cisco researchers said. “In this case, there is no malicious code in the attachment itself. The attachment instead tries to download a template file over an SMB connection so that the user's credentials can be silently harvested. In addition, this template file could also potentially be used to download other malicious payloads to the victim's computer.”

2. Watering Holes

According to US-CERT and Symantec, the cyber espionage group used "watering holes" – websites that have legitimate content by reputable organizations but are altered by the threat group to have malicious content. Almost half of the known watering holes, the US Computer Emergency Readiness Team said, are reputable websites that offer information to those in the critical infrastructure sector.

According to US-CERT, the threat group uses “a similar SMB collection technique, the actors manipulated these websites by altering JavaScript and PHP files that redirect to an IP address on port 445 for credential harvesting.” In altering these reputable websites, US-CERT said that the threat actors most likely used legitimate credentials to access the website content directly.

“As well as sending malicious emails, the attackers also used watering hole attacks to harvest network credentials, by compromising websites that were likely to be visited by those involved in the energy sector,” Symantec said.

3. Social Engineering

These stolen network credentials, according to Symantec, were then used for follow-up attacks on the target critical infrastructure organization itself by delivering trojanized software – malicious software that’s disguised as legitimate software.

One of the trojans used by Dragonfly group is Karagany.B – malicious software that infiltrates computer systems of target organizations by masquerading as Flash updates. The group here used the old hacking tactic of social engineering – convincing victims they need to download software, in this case, an update for their Flash player.

The trojan Karagany.B enables attackers remote access to the victims’ computer systems and allows them to install additional malicious tools if needed. Another trojan used by the group, according to Symantec, is the trojan Heriplor – malicious software that also enables attackers remote access to the victims’ computer systems.

“Trojan.Heriplor is a backdoor that appears to be exclusively used by Dragonfly, and is one of the strongest indications that the group that targeted the western energy sector between 2011 and 2014 is the same group that is behind the more recent attacks,” Symantec said. “This custom malware is not available on the black market, and has not been observed being used by any other known attack groups.”

Symantec noted that Dragonfly’s origins cannot definitively be determined. While some of Dragonfly’s malware codes were written in Russian and French, Symantec noted, this could be a way to mislead people.

How to Prevent Dragonfly Attacks

To prevent Dragonfly attacks, the US-CERT recommends the following:

• Deploy web and email filters on the network.
• Configure these devices to scan for known bad domain names, sources, and addresses; block these before receiving and downloading messages.

• Scan all emails, attachments, and downloads (both on the host and at the mail gateway) with a reputable anti-virus solution that includes cloud reputation services.

• Segment any critical networks or control systems from business systems and networks according to industry best practices.

• Establish a training mechanism to inform end users on proper email and web usage, highlighting current information and analysis, and including common indicators of phishing.

• Based on the suspected level of compromise, reset all user, administrator, and service account credentials across all local and domain systems.

• Ensure that accounts for network administration do not have external connectivity.

• Ensure that network administrators use non-privileged accounts for email and Internet access.

• Use two-factor authentication for all authentication, with special emphasis on any external-facing interfaces and high-risk environments (e.g., remote access, privileged access, and access to sensitive data).