The Department of Homeland Security (DHS) and the FBI warned earlier this month that the “Dragonfly” hackers linked to the Russian government are engaged in a “multi-stage intrusion campaign” targeting critical U.S. infrastructure, including the energy, nuclear, aviation and manufacturing sectors.
Firms in these industries were targeted by hackers through various techniques, including spear phishing emails and watering-hole web site attacks, allowing hackers to gain access to devices and then conduct reconnaissance on the victim’s wider networks and gather information related to Industrial Control Systems (ICS). Initially, small commercial facilities were targeted, including third party suppliers to the ultimate intended victims, allowing hackers to gradually gain access to wider energy sector networks.
The two agencies issued a rare joint technical alert, detailing the attacks, including indicators of compromise (IOCs) and technical details on the tactics, techniques and procedures (TTPs) deployed by Russian government cyber actors on target networks. The DHS and FBI stated their goal in doing so being “to educate network defenders to enhance their ability to identify and reduce exposure to malicious activity”.
TTPs deployed included spear phishing emails appearing to be job applications coming from professionals with knowledge of industrial control system software by trusted industry players, such as Siemens and Rockwell. Attachments disguised as resumes then stole the target’s credentials, allowing hackers access to the victim’s wider network.
The smaller firms’ websites were then used as watering holes to attract then attack employees from the main targets, the DHS said in the alert.
The ultimate goal of the Dragonfly attackers is to compromise the ICS and SCADA systems used to manage and operate critical infrastructure, including machinery. The threat actors also copied profile and configuration information for accessing ICS systems on the network.
DHS and FBI analysis hinted that the group was the same as the so-called “Dragonfly” hacking group that Symantec linked to attacks on Western energy firms in September and October 2017.
The firm Dragos Security has identified five groups targeting ICS systems, likely tied to the governments of Russia, Iran and China. “There’s no financial gain to be had from any of these items, so that weeds out cyber criminal groups right away,” said Joe Slowick, a Senior Threat Analyst at Dragos. Slowick said that geopolitical hotspots such as the Ukraine and the Middle East are often hot spots for critical infrastructure hacks. The firm testified before the Senate Committee on Energy and National Resources earlier this month.