On October 20th, 2017, the US-CERT issued a technical alert (TA17-293A) on advanced persistent threat activity targeting government entities and organizations in the energy, nuclear, water, aviation, and critical manufacturing sectors. This alert is the result of analytic efforts between the Department of Homeland Security (DHS) and the Federal Bureau of Investigation (FBI).
This DHS-FBI alert is especially concerning because it draws attention to the fact that attacks on ICS are no longer isolated events.
This APT is the first wide-reach campaign that is specifically targeting industrial control systems (ICS) which are responsible for managing and controlling the physical processes in nuclear, water, aviation, and critical manufacturing sectors.
In this campaign adversaries are unmistakably focused on targeting Industrial Control Systems (ICS) and operational technology personnel using:
- Waterhole Attacks - adversaries used industry specific, legitimate websites, like trade publications and informational websites related to process controls and ICS (used in energy, nuclear, water, aviation, and critical manufacturing sectors), that have been altered to contain or reference malicious content.
- Phishing emails: The DHS and FBI identified references to ICS vendors, industrial control equipment and protocols in spear-phishing emails. The emails were designed to be enticing for industrial control systems personnel, and contained malicious Microsoft Word attachments masked as legitimate files of interest (résumés or curricula vitae (CVs) for industrial control systems personnel, as well as invitations and policy documents).
- Upon infiltrating the targeted networks, attackers conducted reconnaissance scan specifically looking for ICS or SCADA (Supervisory Control and Data Acquisition) system files contain relevant vendor names and ICS reference documents like wiring diagram and technical information.
This illustrates that attackers are intent on gathering very specific intelligence on operational networks and the technologies they use to plan future attacks.
It is important to understand that ICS are often lacking security controls so once the adversary gains access, their is no way to restrict their activities.
This is because most of these systems were designed and implemented decades ago, before cyber-threats existed. As a result, these systems are very sensitive to such attacks and can be easily compromised if infiltrated.
IOCs related to this campaign are provided within the accompanying .csv and .stix files of this alert. DHS and FBI recommend that network administrators review the IP addresses, domain names, file hashes, network signatures, and YARA rules provided and add the IPs to their watchlist to determine whether malicious activity has been observed within their organization.
Indegy advises targeted organizations to implement ICS monitoring solutions that can detect and alert on such infiltration and reconnaissance activity, and enable effective threat mitigation.