Connect with us

Hi, what are you looking for?



DHS, FBI Warn of Ongoing APT Attack Against Critical Infrastructure

The Department of Homeland Security and Federal Bureau of Investigation have issued a joint technical alert warning that government entities and organizations in the energy, nuclear, water, aviation, and critical manufacturing sectors are subject to an ongoing attack campaign from an advanced actor, most probably Dragonfly (aka Crouching Yeti and Energetic Bear).

The Department of Homeland Security and Federal Bureau of Investigation have issued a joint technical alert warning that government entities and organizations in the energy, nuclear, water, aviation, and critical manufacturing sectors are subject to an ongoing attack campaign from an advanced actor, most probably Dragonfly (aka Crouching Yeti and Energetic Bear).

The alert was first distributed by email and is now published by US-CERT. It warns, “Since at least May 2017, threat actors have targeted government entities and the energy, water, aviation, nuclear, and critical manufacturing sectors, and, in some cases, have leveraged their capabilities to compromise victims’ networks.” The attack is considered to be ongoing.

The alert does not itself attribute the attack to any specific attacker, but it does comment, “The report Dragonfly: Western energy sector targeted by sophisticated attack group, released by Symantec on September 6, 2017, provides additional information about this ongoing campaign.” Dragonfly’s activities against western critical infrastructure — and especially the energy sector — have been known for many years. There have been many suggestions that the group operates out of Russia and may be connected to the Russian government.

This new alert from DHS/FBI would therefore suggest either an increase in tempo or growing success in Dragonfly’s activities. It describes the attacks in relation to the seven-stage kill chain; but noticeably stops short of the final stage, ‘actions on objective’. The implication is that the attacker is seeking a position for possible action against the critical infrastructure in the future.

The threat actors have chosen their targets rather than attacking targets of opportunity. Typically, this is followed by a spear-phishing campaign using email attachments to leverage Microsoft Office functions to retrieve a document using the Server Message Block (SMB) protocol. This sends the user’s credential hash to the remote server, where “The threat actors then likely used password-cracking techniques to obtain the plaintext password. Once actors obtain valid credentials, they are able to masquerade as authorized users.”

Watering holes are also used to gather credentials. “The threat actors compromise the infrastructure of trusted organizations to reach intended targets,” notes the alert, adding, “Approximately half of the known watering holes are trade publications and informational websites related to process control, ICS, or critical infrastructure.”

When credentials have been gained, the attackers use these to access victims’ networks where multi-factor authentication is not in use. Once inside the networks, the attackers download their tools from a remote server. In one example, the attacker downloaded multiple files, including INST.txt. This was renamed to INST.exe, run, and immediately deleted. “The execution of INST.exe,” says the alert, “triggered a download of ntdll.exe, and shortly after, ntdll.exe appeared in the running process list of a compromised system of an intended target.” In its earlier report, Symantec associated the MD5 hash of INST.exe to Backdoor.Goodor.

There is no direct indication in this report that critical infrastructure operation technology (OT) networks have been compromised — but it does state clearly that the IT networks have been breached. “This APT actor’s campaign has affected multiple organizations in the energy, nuclear, water, aviation, construction, and critical manufacturing sectors.”

Advertisement. Scroll to continue reading.

The primary activity on the compromised networks seems to be reconnaissance, presumably to find OT weaknesses that could be exploited on demand. “Upon gaining access to intended victims, the threat actors conducted reconnaissance operations within the network. Specifically, the threat actors focused on identifying and browsing file servers within the intended victim’s network. The threat actors viewed files pertaining to ICS or Supervisory Control and Data Acquisition (SCADA) systems.”

The report adds, “In one instance, the threat actors accessed workstations and servers on a corporate network that contained data output from control systems within energy generation facilities. In this same incident, the threat actors created a malicious scheduled task that invoked ‘scr.exe’ with the arguments ‘scr.jpg’. The MD5 hash of scr.exe matched the MD5 of ScreenUtil, a tool used by the threat actor, as reported in the Symantec Dragonfly 2.0 report.”

“The latest U.S. power company attacks,” warns David Zahn, GM at PAS, “are an escalation that should be a wakeup call for all critical infrastructure companies that we need to do more. Even basics like knowing what cyber assets are in a power plant or industrial facility are missing today. If you cannot see it, you cannot secure it. If you cannot secure it, then understand that it may get worse before it gets better. Additional attention and investment are needed if we are to get ahead of these threats.”

The US-CERT alert comes with a long list of network signatures and host-based rules that can be used to detect malicious activity associated with the threat actors’ TTPs. Both the DHS and FBI recommend that network administrators review the IP addresses, domain names, file hashes, and YARA and Snort signatures provided, and add the IPs to their watch list to determine whether malicious activity is occurring within their organization.

Related: Energy Regulator Acts to Improve Power Grid Security 

Related: The Increasing Effect of Geopolitics on Cybersecurity 

Written By

Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join us as we delve into the transformative potential of AI, predictive ChatGPT-like tools and automation to detect and defend against cyberattacks.


As cybersecurity breaches and incidents escalate, the cyber insurance ecosystem is undergoing rapid and transformational change.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

CISO Strategy

SecurityWeek spoke with more than 300 cybersecurity experts to see what is bubbling beneath the surface, and examine how those evolving threats will present...


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

CISO Conversations

Joanna Burkey, CISO at HP, and Kevin Cross, CISO at Dell, discuss how the role of a CISO is different for a multinational corporation...

CISO Conversations

In this issue of CISO Conversations we talk to two CISOs about solving the CISO/CIO conflict by combining the roles under one person.

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

CISO Strategy

Security professionals understand the need for resilience in their company’s security posture, but often fail to build their own psychological resilience to stress.