Spear-phishing emails, watering-hole-domains, and credential gathering are just some of the TTPs said to be used during a long running cyber campaign.
A report from the FBI and Department of Homeland Security has accused Russia of undertaking a critical infrastructure cyber attack.
Already under the spotlight due to connections with the poisoning of a former double agent and for interfering in the 2016 US presidential elections, Russia has now been accused of hacking into American energy infrastructure.
Thought to begin in March 2016, hackers from the Russian government are said to have begun a campaign that sought to infiltrate US energy, nuclear, water, aviation and manufacturing, and commercial facilities.
An alert from DHS and the FBI said: “Since at least March 2016, Russian government cyber actors—hereafter referred to as “threat actors”—targeted government entities and multiple U.S. critical infrastructure sectors, including the energy, nuclear, commercial facilities, water, aviation, and critical manufacturing sectors.
Analysis by DHS and FBI, resulted in the identification of distinct indicators and behaviors related to this activity. Of note, the report Dragonfly: Western energy sector targeted by sophisticated attack group, released by Symantec on September 6, 2017, provides additional information about this ongoing campaign.”
Tactics used by Russia are said to be: spear-phishing emails, watering-hole domains, credential gather, open-source and network reconnaissance, host-based exploitation, and targeting industrial control system infrastructure.
The alert said: “DHS and FBI characterize this activity as a multi-stage intrusion campaign by Russian government cyber actors who targeted small commercial facilities’ networks where they staged malware, conducted spear phishing, and gained remote access into energy sector networks.
“After obtaining access, the Russian government cyber actors conducted network reconnaissance, moved laterally, and collected information pertaining to Industrial Control Systems.”
The latest battlefield appears to be focusing on critical infrastructure, with few better ways to damage an economy and core of a country. Given that critical infrastructure is a likely target for focused aggression there needs to be more energy put into safeguarding these assets, something that isn’t helped by a large lack of skills.
Peter Woollacott, CEO of Huntsman Security said: “With the ISACA predicting a global shortage of two million cybersecurity jobs by 2019, caused by a shortage of cybersecurity analysts, there simply aren’t enough professionals to cope with the growing threat that critical infrastructure faces. Even before this announcement from the FBI and DHS national agencies were already reporting a significant increase in reported attacks, let alone those that pass undetected. As more elements of services move online, so there are many more opportunities for attackers of any size or capability to try their luck.
“Critical infrastructure faces a blizzard of attacks of varying sophistication – any one of which could be as damaging as WannaCry or Stuxnet. Even a simple DDoS attack has brought services such as Sweden’s trains to their knees recently. There’s no way to block all of these potential attacks at the walls of an organisation. Governments and businesses need to think very carefully about how we secure our infrastructure or else security analysts will soon be overwhelmed by the sheer volume they face.”
Of course, this isn’t the first cyber attack that Russia has been linked to, NotPetya being the latest example. Sanctions are being put in place, with more likely to be on their way, although they seem unlikely to have any real impact.