The Department of Homeland Security (DHS) has issued a new alert warning businesses that the notorious Dragonfly APT group has been targeting CNI firms, including nuclear power providers, since at least May 2017.
The ongoing and potentially long-term campaign takes aim at firms in the energy, nuclear, water, aviation, and critical manufacturing sectors.
Attacks typically first attempt to compromise “staging targets” which are trusted third party suppliers with less secure networks, said the DHS.
The threat actors begin by collecting publicly available information on these targets; specifically related to “network and organizational design” and “control system capabilities”.
This kind of open source reconnaissance helps with spearphishing and can even provide useful info on equipment models and the like, the alert noted.
The next stage of the attacks is to target certain users with spearphishing emails containing malicious links:
“Email messages include references to common industrial control equipment and protocols. The emails leveraged malicious Microsoft Word attachments that appear to be legitimate résumés or curricula vitae (CVs) for industrial control systems personnel, as well as invitations and policy documents that entice the user to open the attachment.”
Once log-ins have been harvested, the attackers seek to compromise the infrastructure of the “staging targets” so they’re capable of carrying out watering hole attacks on the real intended targets.
Typical sites manipulated to host malicious content include trade publications and informational websites related to process control, ICS, or critical infrastructure, DHS said.
Once they’ve gained access to an intended target – usually via compromised log-ins – the attackers will download additional tools from a remote server and begin the process of data exfiltration, with ICS and SCADA-related info the main focus.
The alert concluded with the following advice for CNI firms:
“DHS and FBI recommend that network administrators review the IP addresses, domain names, file hashes, and YARA and Snort signatures provided and add the IPs to their watch list to determine whether malicious activity is occurring within their organization. Reviewing network perimeter netflow will help determine whether a network has experienced suspicious activity. Network defenders and malware analysts should use the YARA and Snort signatures provided in the associated YARA and .txt file to identify malicious activity.”
Symantec revealed in September that the notorious Dragonfly APT group had begun a new “highly focused” campaign targeting US energy firms, which may already have given them operational access to systems.
Some of the code was written in Russian and French, although one of these could be a false flag, the vendor said.