Critical industries including energy, nuclear and manufacturing have been targeted for cyber-espionage since earlier this year
US authorities have warned of ongoing online attacks on critical sectors such as government, energy and manufacturing that “in some cases” have successfully compromised targets’ networks.
The attacks are carried out by a group known as “Dragonfly” or “Energetic Bear” that has been in operation since at least 2011, and whose network penetration activities have recently become more aggressive, security firm Symantec said last month.
In an advisory issued late on Friday, the US Department of Homeland Security (DHS) and the FBI gave more technical details on the attackers’ methods than has previously been made public. The advisory also describes signs that may indicate a network has been compromised.
The DHS said the attacks are part of a “long-term campaign”. Symantec said in its September report it believes the “Dragonfly” group is based in Russia.
In order to gain access to their ultimate targets the hackers typically begin with third-party less conspicuous contractors that have a lower level of security, the DHS said.
The attacks have been ongoing since at least May of this year and use a variety of tactics, including targeted phishing emails that include attachments which appear legitimate.
The documents may appear to be CVs, policy documents, contract agreements or invitations.
In many cases the files include no malicious code within the document itself, but trick the user into clicking on a shortened link, which retrieves malware from the internet. The documents may also seek to download remote code using the the Server Message Block (SMB) protocol.
Watering hole attacks
Other phishing tactics involved the use of false login pages that harvested users’ credentials.
The group also uses “watering hole” attacks, which involve compromising legitimate websites frequently visited by the personnel being targeted. About half of the watering hole sites used were trade publications and informational sites related to process control, industrial control systems (ICS) or critical infrastructure industries, DHS said.
The targets include government departments as well as firms in the energy,nuclear, water, aviation and critical manufacturing sectors.
The intrusions appear aimed at giving the attackers knowledge of how the targeted firms’ IT systems and organisational processes are set up, DHS said.
The hackers “are seeking to identify information pertaining to network and organisational design, as well as control system capabilities, within organisations,” DHS said in the alert.
In some cases data was harvested by creating new users within the domains of the targeted systems.
As a result DHS said the unexpected creation of new users on the network could be a sign of compromise. Other signs mentioned in the alert include frequent deletion of log files.
DHS said the attacks were effective on virtual desktops as well as standard machines. Large organisations often use virtual desktops as a security measure.
In last month’s study Symantec said the group in question was “highly sophisticated” and had in some cases compromosed the industrial control systems used to operate sections of power plants.
Businesses were targeted in the UK, the US, Spain, France, Italy, Germany, Turkey and Poland, Symantec said.
The group initially targeted aerospace and military companies before shifting its focus to the energy sector.
A new wave of intrusions this year “could provide attackers with the means to severely disrupt affected operations”, Symantec said.
Dragonfly initially carried out “exploratory” operations between 2011 and 2014, before beginning a new phase this year, Symantec said.
Like DHS, Symantec said the group’s latest actions could provide them with “access to operational systems, access that could be used for more disruptive purposes in future”.
In July the National Cyber Security Centre (NCSC) acknowledged it was investigating a broad wave of attacks on companies in the British energy and manufacturing sectors which were “likely” to have compromised some industrial control systems.
Do you know all about security in 2017? Try our quiz!