On March 15 2018, the Department of Homeland Security (DHS) and Federal Bureau of Investigation (FBI) released a joint Technical Alert (TA) – TA18-074A providing information on Russian government actions targeting U.S. critical infrastructure organizations including energy, nuclear, water, aviation and critical manufacturing sectors. The TA includes the Indicators of Compromise (IOCs) and technical details on the tactics, techniques, and procedures (TTPs) used by Russian government cyber actors on compromised victim networks.
According to the TA, the threat actors targeted small commercial facilities’ networks to stage malware and used a variety of TTPs including spear phishing, watering hole domains, open source and network reconnaissance, host-based exploitation and credential gathering to collect information pertaining to Industrial Control Systems (ICS).
The entry points were in the IT networks or trusted third parties with less secure networks. Through pivoting and lateral movement the threat actors were able to get to the ultimate objective, the ICS/SCADA network.
This is a complex attack by a sophisticated set of threat actors with very clear objectives. To thwart this type of persistent attacker requires Enterprise/IT Security Operations Center and Operational Technology/ICS asset and network owners to collaborate and share information on what is being observed in both IT and OT networks.
On the IT side, continuing to educate all employees about phishing emails, following up with regular drills to remind employees to stay vigilant are security best practices.
In this attack, we see the use of staging targets as watering holes. The staging targets were not the ultimate objective, but rather trusted organizations with weak security infrastructure that could be compromised. Once compromised, the staging targets were used for credential harvesting, same as the phishing emails. According to the TA, legitimate websites hosting ICS content were altered to contain and reference malicious content.
The threat actors leveraged compromised credentials to gain access into intended target networks which were not protected by multi-factor authentication.
Protecting VPN servers, and other internet accessible entry points using multi-factor authentication is a fundamental practice to prevent attackers from gaining entry into corporate networks.
Once inside the staging networks, the threat actors created local accounts to maintain persistent presence. They used VPN access from the staging servers to the intended target servers. Registry modification, password cracking tools and internal reconnaissance to reach domain controllers, helped the attackers get from the point of entry to the ICS systems on the intended victim’s network.
A sophisticated, multi-pronged long term attack such as this requires constant and continuous vigilance in both IT and OT networks. Automatically monitoring your environment for configuration changes and network changes is one way you can observe changes quickly and respond as required.
Industrial Defender ASM is a configuration and event monitoring solution for ICS environments. Customers using the ASM solution in their ICS environments can use its capabilities to look for TTPs known to be used by this and other threat actors.
Following are some steps that users can take to stay vigilant:
ASM Solution comes with several sets of security policies that can be effectively utilized to maintain regular security hygiene. You can run password policy checks, insecure ports and services checks, Anti-Virus signature version checks and many other security best practice policy checks from the ASM Policy Management application.