Catch ICS Attackers by Shifting to Kill Chain

Tracking the activity of nefarious groups affords defenders a deeper level of understanding that can be useful in not only understanding different types of threats but also in building defenses to withstand a cyber-attack. 

Today, Dragos released its updated profile on CHRYSENE ICS, one of the seven groups that have come to fruition from long-running cyber-espionage activity. Sergio Caltagirone, director of threat intelligence, Dragos wrote in his blog post, “The current industrial threat landscape is very concerning. All of our intelligence suggests industrial security entering a massive growth of threat activity which will likely last at least the next decade. Nobody is facing a 'cyber pearl harbor' as some pundits suggest. But, it is not a quiet and calm environment either." 

All seven of the groups are ICS-focused, and it is believed that they are investing their time and money into attacking industrial systems. The CHRYSENE ICS-focused group has been well-known since coming onto the scene in 2012 with the Shamoon attack that targeted Saudi Aramco and disabled tens of thousands of workstations.

After a lull of activity in late 2017, CHRYSENE has begun to establish a new infrastructure to create a larger footprint for operations. According to Dragos, CHRYSENE has moved beyond email spear phishing and is now using strategic web compromise – watering holes – to exploit victims. 

Analysis after the 2012 attack revealed that the group appeared to have some degree of involvement in the 2016 Shamoon 2 attack and remains active in targeting the Arabian Gulf region and the Middle East.

Currently, the group’s primary mode of operation is to compromise IT and do reconnaissance against industrial organizations. Dragos has not seen evidence of this group having any ICS-specific capabilities that could damage critical infrastructure. But, they do target oil, gas and manufacturing companies, mostly in Europe and North America, and focus on network penetration. 

“The group specializes in initial penetration – CHRYSENE compromises a target machine and passes the victim to another group for further exploitation. The group operates in Iraq, Pakistan, Israel, and the UK, and is an evolution of previous campaigns focusing exclusively on the Arabian Gulf region,” wrote Caltagirone.

Defenders might find success if they shift the focus to the "kill chain", said Caltagirone. "The initial access, lateral movement, and intelligence gathering process which takes months or years before any disruption. Organizations and defenders have a higher chance of discovering and remediating ICS threats earlier in this process before any disruption."

What’s Hot on Infosecurity Magazine?