US authorities have warned of ongoing online attacks on critical sectors such as government, energy and manufacturing that “in some cases” have successfully compromised targets’ networks.
In an advisory issued late on Friday, the US Department of Homeland Security (DHS) and the FBI gave more technical details on the attackers’ methods than has previously been made public. The advisory also describes signs that may indicate a network has been compromised.
The DHS said the attacks are part of a “long-term campaign”. Symantec said in its September report it believes the “Dragonfly” group is based in Russia.
In order to gain access to their ultimate targets the hackers typically begin with third-party less conspicuous contractors that have a lower level of security, the DHS said.
The attacks have been ongoing since at least May of this year and use a variety of tactics, including targeted phishing emails that include attachments which appear legitimate.
The documents may appear to be CVs, policy documents, contract agreements or invitations.
In many cases the files include no malicious code within the document itself, but trick the user into clicking on a shortened link, which retrieves malware from the internet. The documents may also seek to download remote code using the the Server Message Block (SMB) protocol.
Other phishing tactics involved the use of false login pages that harvested users’ credentials.
The group also uses “watering hole” attacks, which involve compromising legitimate websites frequently visited by the personnel being targeted. About half of the watering hole sites used were trade publications and informational sites related to process control, industrial control systems (ICS) or critical infrastructure industries, DHS said.
The targets include government departments as well as firms in the energy,nuclear, water, aviation and critical manufacturing sectors.
The intrusions appear aimed at giving the attackers knowledge of how the targeted firms’ IT systems and organisational processes are set up, DHS said.
The hackers “are seeking to identify information pertaining to network and organisational design, as well as control system capabilities, within organisations,” DHS said in the alert.
In some cases data was harvested by creating new users within the domains of the targeted systems.
DHS said the attacks were effective on virtual desktops as well as standard machines. Large organisations often use virtual desktops as a security measure.
In last month’s study Symantec said the group in question was “highly sophisticated” and had in some cases compromosed the industrial control systems used to operate sections of power plants.
Businesses were targeted in the UK, the US, Spain, France, Italy, Germany, Turkey and Poland, Symantec said.
The group initially targeted aerospace and military companies before shifting its focus to the energy sector.
A new wave of intrusions this year “could provide attackers with the means to severely disrupt affected operations”, Symantec said.
Dragonfly initially carried out “exploratory” operations between 2011 and 2014, before beginning a new phase this year, Symantec said.
Like DHS, Symantec said the group’s latest actions could provide them with “access to operational systems, access that could be used for more disruptive purposes in future”.
In July the National Cyber Security Centre (NCSC) acknowledged it was investigating a broad wave of attacks on companies in the British energy and manufacturing sectors which were “likely” to have compromised some industrial control systems.
Do you know all about security in 2017? Try our quiz!
US Supreme Court declines to hear appeal from X, formerly Twitter, over nondisclosure order attached…
US federal judge orders Google to undertake wide range of measures allowing third-party app stores…
Ukrainian hackers disrupt online services of Russian state broadcaster VGTRK on Vladimir Putin's birthday, amidst…
US federal judge says FTC and 18 states may proceed with landmark Amazon antitrust case,…
Sanctioned Huawei formally launches HarmonyOS Next on smartphones, tablets as it builds new ecosystem around…
European Space Agency launches Hera mission from Florida to follow up on NASA asteroid impact…