This article was updated on October 1, 2019.
The U.S. government has just released an important cyber security alert that confirms Russian government cyberattacks targeting energy and other critical infrastructure sectors in the United States.
While there has recently been a significant rise in cyberattacks in these industries, up to now we’ve only been able to speculate on who the actors are, or what their motives may be. In this case the threat actor and their strategic intent has been clearly confirmed, something the U.S. government rarely does publicly.
In addition, the US-CERT alert provides descriptions of each stage of the attack, detailed indicators of compromise (IOCs), and a long list of detection and prevention measures. Many of the attack tactics are like Dragonfly 2.0, so much so that one might call this an expanded playbook for Dragonfly. The Nozomi Networks solution ships today with an analysis toolkit that identifies the presence of Dragonfly 2.0 IOCs.
This article is intended to help you gain perspective on this recent alert, provide additional guidance on what security measures to take, and describe how the Nozomi Networks solution can help.
Multi-Stage Campaigns Provide Opportunities for Early Detection
The US-CERT alert characterizes this attack as a multi-stage cyber intrusion campaign where Russian cyber actors conducted spear phishing and gained remote access into targeted industrial networks. After obtaining access, the threat vectors conducted network reconnaissance, moved laterally, and collected information pertaining to Industrial Control Systems (ICS).
This pattern of behavior is typical of APTs (Advanced Persistent Threats). APTs occur over an extended period, meaning there is an opportunity to detect and stop them before damage is done. With the right technology monitoring the industrial network, it is much harder for them to go unobserved before their final attack.
In this case the Russian cyberattacks started by infecting staging targets, which are peripheral organizations, such as trusted third-party suppliers, as pivot points for attacking the final intended targets.
The attackers used a multitude of tactics involving information relevant to industrial control professionals for initial infection of the staging targets. Examples include:
- Altering trade publication websites
- Sending emails containing resumes for ICS personnel as infected Microsoft Word attachments
- Analyzing publicly available photos that inadvertently contained information about industrial systems
The credentials of staging targets’ staff were in turn used to send spear phishing emails to the staff of the intended targets. They received malicious .docx files, which communicated with a command and control (C2) server to steal their credentials.
The SMB (Server Message Block) network protocol was used throughout the spear phishing phases to communicate with external servers, as was described for the Dragonfly 2.0 attacks.This is a distinctive tactic. SMB is usually only used to communicate within LANs, not for outbound communications. Now that this is known, asset owners should ensure their firewalls are locked down for outbound service restrictions.
The credentials of the intended targets were used to access victim’s networks. From there, the malware established multiple local administrator accounts, each with a specific purpose. The goals ranged from creation of additional accounts to cleanup activity.
Next, tools were downloaded from a remote server, which manipulated Microsoft Window’s shortcut files and registries to gather and store user credentials. They also used the infrastructure of staging targets to connect to intended targets using the stolen credentials and remote access services.
An ICS reconnaissance phase followed, which included tactics like:
- Using batch scripts to enumerate the industrial control network
- Using scheduled tasks and a screenshot utility to capture the screens of systems across the network
- Using text files to hold lists of host information
- Accessing computers on the corporate network to take data output about control and SCADA systems, including ICS vendor names and reference documents
- Gathering profile and configuration information for ICS systems
The threat actors also conducted activity to hide their tracks, such as clearing logs and removing malware applications, registry keys and screen captures.
While long on details about the infection and reconnaissance phases of the Russian cyberattacks, the US-Cert advisory is notably, but not surprisingly, lacking in detail about what equipment was targeted and what disruption was intended.
The goal of the advisory is to provide the intended targets, which are asset owners like you, with a wide set of clues for determining if your facility is infected. If so, you need to eradicate the infection and report it to authorities.
Hybrid Threat Detection Identifies APTs and Greatly Reduces Monitoring Efforts
The list of detection and prevention measures provided in the Alert (TA18-074A) is extensive. Anyone glancing at the list will realize that it will take a lot of manpower and focus to do all the log and file checking, as well as the security improvements recommended.
There is where the Nozomi Networks solution can help. It ships today with an analysis toolkit that identifies Dragonfly 2.0, it automates ongoing monitoring for the presence of the campaign, and it makes responding to infection indicators more efficient.
A key technique used to accomplish this is hybrid threat detection. This is the use of signatures plus behavior-based anomaly detection to identify threats and risks. The results are correlated with each other and with operational context, providing rapid insight into what is happening, thereby reducing mitigation time.
Advanced Persistent Threats: General Attack Phases
Yara rules are a library of advanced scripts that check for the presence of malware IOCs. They aggregate checking for multiple IOCs for a malware, reducing manual threat detection work. Developed by an open community of global security researchers, the Yara rules library innovates as fast as the collective body of knowledge.
Nozomi Networks Guardian embeds Yara rules in its platform, and ships today with the Yara rules for Dragonfly 2.0.
Assertions are a variation of the Nozomi Networks query tool that provides real-time information on any aspect of device attributes, network communication, cyber risks and process variables. While queries check whether a condition exists right now, assertions can be used to regularly check that a specific IOC does not exist. If it is found at some future point in time, an alert is generated which can be sent to another security application, such as a SIEM.
Nozomi Networks Customer Efficiently Checks for IOCs
“I’ve also added IOCs [indicators of compromise] as I get them through the cyber security community. So, in a matter of moments, I can identify, and promptly address, any issues.”
Kris Smith, Manager Operations Engineering, Vermont Electric Cooperative
Mr. Smith is describing how he uses Nozomi Networks queries and assertions to check for IOCs that are provided to him through E-ISAC (Electricity Information Sharing and Analysis Center) and other sources.
Anomaly detection is a foundation of Guardian’s hybrid threat detection and it is the ability to learn normal network and process behavior. Baselines are established, and variations from them are an indicator of suspicious activity. In the case of the Russian cyberattacks, anomaly detection would detect unusual behavior such as:
- Improper / new outbound connections, such as those to an external command and control server using the SMB protocol
- New users sending traffic over the network
- Unusual traffic patterns
If you are starting today to check your system for evidence of the Russian cyberattacks, you will need to do the extensive log checking identified in the US-Cert alert. However, if you deploy Guardian, a great deal of that work would be automated thanks to anomaly detection.
Russian Cyberattacks – What to Do Next
This US-CERT alert is a milestone. It makes it perfectly clear that U.S. infrastructure and critical manufacturing sectors are under Russian cyberattack.
If your organization is in one of the targeted sectors, now is the time to check for and eradicate the malware before a final ICS attack occurs. Even if your operation is in another country or another sector, you likely want to do the same thing.
To help you efficiently deal with the risk level and workload associate with this alert, consider a real-time cyber security and operational visibility solution. We offer one, and we know from in-depth field feedback that ours is easy to deploy and quick to provide results.
If you would like find out more, contact us today.
Related Content to Download
The mitigation brief below, while for Industroyer, explains how our passive ICS monitoring solution uses hybrid threat detection to identify persistent threats and remediate them before damage can be done. The same capabilities apply to TRITON.
Nozomi Networks Industroyer Mitigation Brief
This brief explains:
3 main phases of Industroyer
How anomaly detection mitigates impacts
What Yara rules are and how they help
How “assertions” facilitate threat hunting
How real-time ICS monitoring provides cyber resiliency
- UScert.gov: Alert (TA18-074A) – Russian Government Cyber Activity Targeting Energy and Other Critical Infrastructure Sectors
- Symantec.com: Dragonfly: Western energy sector targeted by sophisticated attack group
- Solution Overview: Nozomi Networks
- Data Sheet: Guardian
ICS Security Specialist, Nozomi Networks
Heather MacKenzie has worked in the field of industrial cyber security since 2008, authoring over 150 articles and multiple white papers on the subject. She is passionate about helping IT/OT teams responsible for ICS networks understand their cyber risks, and how to use operational visibility and cyber security tools to build resiliency. As ICS Security Specialist at Nozomi Networks, Heather is actively working to protect the world’s critical infrastructure and manufacturing from cyber threats.