Russian cyber threats on energy, marine and aviation sectors

On 15 March 2018, the US Department of Homeland Security (DHS) and the Federal Bureau of Investigation (FBI) released a joint technical alert on Russian government cyber activity targeting organisations in the energy, marine, aviation and other manufacturing sectors.

This DHS and FBI technical alert seeks to educate network defenders and enhance their ability to identify and reduce exposure to malicious activity by providing a thorough walk through on how an organisation’s cybersecurity becomes at-risk and recommendations for detection and prevention. The DHS and FBI characterised these cyber activities as a “multi-stage intrusion campaign by Russian government cyber actors” to access an organisation’s network control.

Clyde-Shyu-David

Stage one of the campaign is reconnaissance. Cyber actors deliberately select “staging targets”, organisations that hold pre-existing relationships to the intended targets, by accessing publicly-available information. Using what appears to be innocuous information, such as a small photo from a human resources page, the cyber actors can gather operationally-sensitive information to initiate the next stage of their attack.

Stage two of the campaign is weaponisation. Using compromised information from vulnerable staging targets, cyber actors develop targeted spear-phishing emails or watering-hole domains to formulate their attack against the intended targets.

Stage three is delivery. Cyber actors use spear-phishing emails that, for example, contain a generic contract agreement theme (for example: ‘Agreement & Confidential’) and a generic PDF document titled “document.pdf (note in particular the two back hashes as a sign of a potentially harmful document). The PDF is not malicious and does not contain any active code. Rather, the document has a shortened URL that, when clicked, leads users to a website that prompts the user for their email address and password. Cyber actors have also used, and continue to use, spear-phishing emails to target industrial control systems personnel to gain access to critical network controls.

Stage four is exploitation. By using distinct and unusual tactics, techniques and procedures, cyber actors exploit vulnerable staging targets. For instance, emails would contain successive redirects, with an ultimate redirect to a website that contained input fields for an email address and password that mimicked a login page for a website. Another commonly used tactic to capture user credentials is through malicious .docx files. These files are connected to a command and control server, usually owned by cyber actors, that prompts users to authenticate access to the domain with their username and password.

Stage five is installation. Once cyber actors have gained compromised credentials to access a victim’s network, they create local administrator accounts within the staging target network and begin placing malicious files within the intended targets. While inside, cyber actors incorporate password-cracking and downloader tools to harvest as much information as possible within the intended target. Cyber actors can also manipulate LNK files, commonly known as a Microsoft Windows shortcut file, to repeatedly gather user credentials.

Stage six is the command-and-control phase, where cyber actors create web shells on the intended target’s publicly accessible email and web servers. These serve as templates to further infiltrate the intended target’s networks.

Stage seven is actions on objectives. Once cyber actors control the infrastructure of staging targets, they leverage remote access services and programs such as VPN, RDP, and Outlook Web Access to connect to the intended targets. Upon gaining access to the intended targets, cyber actors begin internal reconnaissance and siphon sensitive information using various scripts and commands. To avoid detection, cyber actors create new accounts to perform cleanup operations to cover their tracks, making any responses to ongoing attacks more difficult.

To prevent these cyberattacks, the DHS and FBI recommend network administrators to review IP addresses, domain names, files hashes, and YARA/Snort signatures provided to watch for when malicious activity is occurring within their organisation. Reviewing network perimeter netflow will also help determine whether a network has experienced suspicious activity. A full list of preventative measures can be found in the joint technical alert.

Read the full DHS and FBI technical alerts:

Alert (TA18-074A)

https://www.us-cert.gov/ncas/alerts/TA18-106A

Alert (TA18-106A)

 

Contributed by Joe Walsh, partner, and David Shyu, associate, at Clyde & Co

Back to top button