The US CERT has issued an advisory warning of the Russian government targeting energy, nuclear and other critical infrastructure sectors. The advisory follows the announcement by the US government to impose sanctions on the Russian spy agencies and individuals.
The CERT advisory suggests that a joint analysis by the Department of Homeland Security (DHS) and Federal Bureau of Investigation (FBI) has found evidence that Russia has been actively targeting critical infrastructure in the United States. The advisory focuses on indicators of compromise (IOCs) and technical details on the tactics and techniques to assist grid operators to limit exposure.
This joint Technical Alert (TA) is the result of analytic efforts between the Department of Homeland Security (DHS) and the Federal Bureau of Investigation (FBI). This alert provides information on Russian government actions targeting U.S. Government entities as well as organizations in the energy, nuclear, commercial facilities, water, aviation, and critical manufacturing sectors. It also contains indicators of compromise (IOCs) and technical details on the tactics, techniques, and procedures (TTPs) used by Russian government cyber actors on compromised victim networks. DHS and FBI produced this alert to educate network defenders to enhance their ability to identify and reduce exposure to malicious activity.
The US government has said that the Russian hackers are engaged in an ongoing attack against the country's energy sector. The intelligence agencies have characterized this activity as a "multi-stage intrusion campaign by Russian government cyber actors" who are targeting small commercial facilities’ networks with spear phishing and malware to gain remote access into energy sector networks.
After obtaining access, the Russian government cyber actors conducted network reconnaissance, moved laterally, and collected information pertaining to Industrial Control Systems (ICS).
Instead of directly attacking their targets, the alert says that the Russian government hackers deliberately chose organizations (staging targets) that had preexisting relationships with many of the intended targets. Using these compromised staging targets, they managed to download the source code for several intended targets’ websites. "Additionally, the threat actors attempted to remotely access infrastructure such as corporate web-based email and virtual private network (VPN) connections," the advisory reads.
Hackers allegedly linked to Russia used email attachments to start their attacks
The US CERT reports that throughout their campaigns, Russian sponsored hackers used email attachments to leverage legitimate Microsoft Office functions for retrieving a document from a remote server using the Server Message Block (SMB) protocol.
"As a part of the standard processes executed by Microsoft Word, this request authenticates the client with the server, sending the user’s credential hash to the remote server before retrieving the requested file," the advisory adds. "After obtaining a credential hash, the threat actors can use password-cracking techniques to obtain the plaintext password. With valid credentials, the threat actors are able to masquerade as authorized users in environments that use single-factor authentication."
The report suggests that using these staging targets, attackers developed watering holes - guess the websites and publications most visited by employees of the actual target organizations to host malware. By stealing credentials from staging targets, they were able to access and modify website content to host malware. [More technical details are available over at US-CERT.]
It appears we are going to hear a lot about Russia in the coming days. After the poisoning allegations in London, the Kremlin seems to have attracted attention from several countries that have resulted in sanctions from both the UK and the US. While UK has directly retaliated against the attack on the informant, US sanctions are in response to the 2016 election meddling and the ongoing cyberattacks.
- Originally posted on March 15.