What you are about to read is the real story of sophisticated, multi-stage cyber attack against the U.S. energy sector.
A US-CERT Alert says the attack technique was first discovered in Spring 2017 and continues now with a particular focus on electric utilities and the industrial Internet of Things including control systems.
Here is what the agencies are finding:
6 stage cyber attack against the energy sector
The Alert says attackers are using 6 stages to get inside utility networks and take critical information:
- open-source reconnaissance
- spear-phishing emails (from compromised legitimate accounts)
- watering-hole domains
- host-based exploitation
- industrial control system (ICS) infrastructure targeting
- ongoing credential gathering
Cyber reconnaissance and "staging targets"
The hackers choose "staging targets" first. These are typically 3rd party sites that tend to be less secure and have an electronic relationship with the actual targets in the energy sector. And everything is intentional.
"The threat actors appear to have deliberately chosen the organizations they targeted, rather than pursuing them as targets of opportunity. Staging targets held preexisting relationships with many of the intended targets. It is known that threat actors are actively accessing publicly available information hosted by organization-monitored networks. DHS further assesses that threat actors are seeking to identify information pertaining to network and organizational design, as well as control system capabilities, within organizations."
Cyber weaponization
At this point in the attack, recon has armed the attackers with potential targets who work at utilities, so they go phishing:
"Throughout the spear-phishing campaign, threat actors used email attachments to leverage legitimate Microsoft Office functions to retrieve a document from a remote server using the Server Message Block (SMB) protocol."
Delivery to cyber targets using familiar naming conventions
Are humans the weakest link in your company's defenses? Clearly, some of us are still falling for old tricks of common file names that beg to be opened. That's what happens next:
"The emails leveraged malicious Microsoft Word attachments that appear to be legitimate résumés or curricula vitae (CVs) for industrial control systems personnel, as well as invitations and policy documents that entice the user to open the attachment."
Exploitation through utility 'watering hole' domains
Then bad actors use a really dirty trick of compromising websites and content these utility workers turn to for information.
"One of the threat actors’ primary uses for staging targets is to develop watering holes. The threat actors compromise the infrastructure of trusted organizations to reach intended targets. [4] Although these watering holes may host legitimate content by reputable organizations, the threat actors have altered them to contain and reference malicious content. Approximately half of the known watering holes are trade publications and informational websites related to process control, ICS, or critical infrastructure."
Installation once inside or a target's network
DHS and FBI research shows how everything that has happened until now is all about access to the network, which bad actors have accomplished. Then attackers go after admin level privileges by installing a script.
"The malicious script created a user account, disabled the host-based firewall, and globally opened port 3389 for Remote Desktop Protocol (RDP) access. The script then attempted to add the newly created account to the administrators group for elevated privileges. This script contained hard-coded values for the group name “administrator” in Spanish, Italian, German, French, and English. In addition, the threat actors also created a scheduled task “reset”, which was designed to automatically log out of their newly created account every eight hours."
That's pretty smart to create accounts that mimic human behavior by logging out every eight hours. The attackers then continue their recon efforts, creating new user accounts that appear legitimate to the network. Then, they make their way to technical details on industrial control system mapping:
"Upon gaining access to intended victims, the threat actors conducted reconnaissance operations within the network. Specifically, the threat actors focused on identifying and browsing file servers within the intended victim’s network. The threat actors viewed files pertaining to ICS or Supervisory Control and Data Acquisition (SCADA) systems. Based on DHS analysis of existing compromises, these files were originally named containing ICS vendor names and ICS reference documents pertaining to the organization (e.g., “SCADA WIRING DIAGRAM.pdf” or “SCADA PANEL LAYOUTS.xlsx”)."
There is much more to this story, and if you are in the energy sector or part of any utility, you are encouraged to reach US-CERT ALERT (TA17-293A).
This advanced, persistent threat continues, and the Alert may help you protect your organization and the customers you serve.
