Trump Administration Warns of a Cyber Espionage Campaign Targeting Critical Infrastructure
Attackers continue to try to gain access to the networks of government and critical infrastructure companies, the US government has warned. Considering cyber espionage concerns, the United States Department of Homeland Security (DHS) and the Federal Bureau of Investigation (FBI) have sent a warning to energy and industrial firms revealing that in their continued attacks, hackers have managed to successfully compromise networks "in some cases."
The state-sponsored hackers are actively targeting government departments, and companies working in the energy, nuclear, water, aviation, and other critical manufacturing sectors to steal details of control systems. While this isn't the first time that the US government has warned the companies and its federal departments of being aware of these attempts, this is possibly one of the most detailed warning of what the Trump administration calls the "Advanced Persistent Threat Activity."
The warning suggests that the "long term" campaign has been going on since at least May 2017. During these past several months, hackers have targeted numerous government entities and utility companies, along with nuclear and critical manufacturing sectors. The the US computer emergency response team warning adds that in some cases, hackers "have leveraged their capabilities to compromise victims’ networks," suggesting successful intrusion.
The attacks initially target contractors and suppliers of these "critical infrastructure" companies
In their detailed warning, the government agencies have revealed that the campaign has long term goals that started with getting into the networks of smaller, low-security companies like trusted third party suppliers. The networks of these initial targets - aka staging targets - are then used "as pivot points and malware repositories when targeting their final intended victims."
The threat actors appear to have deliberately chosen the organizations they targeted, rather than pursuing them as targets of opportunity. Staging targets held preexisting relationships with many of the intended targets. It is known that threat actors are actively accessing publicly available information hosted by organization-monitored networks.
After getting into these networks, actors specifically look for contacts within the actual intended targets and network and organizational information that could help them breach those networks. The warning details how the hackers work their way through the networks, using various campaigns, including spear-phishing emails and weaponized attachments that are highly likely to be trusted considering they are sent using the breached accounts of trusted partners or suppliers.
The details published by the US Cert warns that the group is clearly "well resourced" that uses a number of malware tools and "is capable of launching attacks through multiple attack vectors while compromising numerous third party websites in the process."
"Its main motive appears to be cyber espionage, with potential for sabotage a definite secondary capability."
The campaign not only installed backdoors but they were so sophisticated that they could grab screen captures along with other surveillance and data stealing techniques suggesting that a well-funded state sponsored group is involved. While the warning doesn't focus on any country or threat actor behind this campaign, it only mentions Dragonfly that has been previously linked to attacks on energy companies.
"In one instance, the threat actors accessed workstations and servers on a corporate network that contained data output from control systems within energy generation facilities," the report adds.
Considering the latest attempts, the government warns that the threat actors could now be entering a new phase getting access to operational systems, "that could be used for more disruptive purposes in future." The alert doesn't go into detail of any particular companies that the hackers successfully managed to breach or what damages these attacks have done so far.
More details about this campaign, malware files, phishing and watering hole techniques, and recommendations for protection against it are shared in this alert.