The US Department of Homeland Security and the Federal Bureau of Investigation on Thursday issued an alert warning of ongoing cyber-attacks against the West’s energy utilities and other critical infrastructure by individuals acting on behalf of the Russian government.
The security warning coincides with the US Treasury Department’s announcement of sanctions against “Russian cyber actors” for interfering with the 2016 US election, a conclusion reached by the US Director of National Intelligence early last year.
Released through DHS’ US-CERT, the alert describes “a multi-stage intrusion campaign by Russian government cyber actors who targeted small commercial facilities’ networks where they staged malware, conducted spear phishing, and gained remote access into energy sector networks.”
The attack against European and North American targets has been underway since at least March 2016, and was identified by Symantec in September last year. The cybersecurity biz refers to the hacking group responsible as Dragonfly.
At the time, Symantec noted that some of the text in the malware code was in Russian, but it did not blame individuals in Russia or the nation’s President Putin-led government for involvement in Dragonfly.
Instead, the security firm noted that some text was in French and raised the possibility that one of the languages might serve as a false flag, by which a nation-state could be falsely implicated.
This time the DHS and the FBI didn’t hedge their bets on attack attribution. As they did in a report issued in late 2016, they describe “Russian government actions targeting US Government entities as well as organizations in the energy, nuclear, commercial facilities, water, aviation, and critical manufacturing sectors.”
That 2016 report on GRIZZLY STEPPE, the name for an attack on US government infrastructure, cites the involvement of two specific groups: APT28 or Fancy Bear, associated with the GRU, Russia’s military intelligence service, and APT29 or Cozy Bear, associated with the FSB, Russia’s internal security service.
It also lists Dragonfly as one of several dozen alternate names for Russian military and civilian intelligence services. It’s not clear how much overlap there is among these groups.
Dragonfly, the DHS and FBI explain in their technical alert, began with reconnaissance, seeking information through targeted spear phishing attacks.
The attackers would sometimes download photos from human resources pages in order to see equipment models and status information in the image background, the alert explains. They tried to penetrate organizations’ web-based email and virtual private network (VPN) connections. And they also relied on common industry documents, such as contracts, resumes, invitations and policy documents to encourage phishing campaign recipients to open attachments.
The attackers used, among other tactics, a 2015 vulnerability in Microsoft Office’s behavior for fetching a document from a remote server via Server Message Block (SMB) protocol. The flaw allowed the attackers to obtain a hash of the credentials of an individual clicking on a phishing link, from which they were able to derive the plaintext password and to access victims’ accounts.
Surprise: Norks not actually behind Olympic Destroyer malware outbreak – Kaspersky
In one instance, the attackers modified a legitimate PHP file,
modernizr.js to load the invisible image.
The attackers use malicious
.docx files to capture user credentials and then installed various tools to conceal their activities, including VPN tools and password cracking tools. They also relied on Windows shortcut files, or LNK files, to store the user credentials they were able to collect.
Once they obtained access, the attackers conducted network reconnaissance to compromise connected systems. For example, they used Windows’ scheduled task and batch scripts to run
scr.exe, a screenshot utility, to conduct screen captures of various connected systems.
And once they had the information they were after, the attackers attempted to clean up by removing malicious files, log files and other evidence of the intrusion.
The DHS/FBI alert contains various signatures that can be used with the YARA pattern matching tool to identify malware associated with the Dragonfly campaign.
It concludes with a litany of security advice about the sorts of countermeasures that should be considered and best practices that should be employed, starting with blocking SMB and related protocols by disabling TCP ports 139 and 445 and UDP port 137.
The Register asked DHS if it could provide any further details about whether any damage had been done by these attacks and whether any response has been considered or enacted. We haven’t heard back. ®