WASHINGTON, DC, March 16, 2018 (ENS) – Russian government hackers have been targeting U.S. government entities as well as organizations in the energy, nuclear, commercial facilities, water, aviation, and critical manufacturing sectors for the past two years, according to a joint Technical Alert issued by the Department of Homeland Security and the Federal Bureau of Investigation.
The alert contains indicators of compromise and technical details on the tactics, techniques, and procedures used by Russian government cyber actors on compromised victim networks.
Issued Thursday, the alert was the first official confirmation that Russian hackers can control facilities on which the majority of Americans rely for basic services. But it was not the first warning.
A report by the computer security company Symantec disclosed in October 2017 that, “The energy sector in Europe and North America is being targeted by a new wave of cyber attacks that could provide attackers with the means to severely disrupt affected operations.”
“The group behind these attacks is known as Dragonfly. The group has been in operation since at least 2011 but has re-emerged over the past two years from a quiet period following exposure by Symantec and a number of other researchers in 2014. This “Dragonfly 2.0” campaign, which appears to have begun in late 2015, shares tactics and tools used in earlier campaigns by the group,” Symantec wrote in its report.
Bloomberg News reported in July 2017 that Russian hackers had breached more than a dozen power plants in seven states, an aggressive campaign that has since expanded to dozens of states.
At risk systems are domain controllers, file servers and email servers, the alert warns.
DHS and FBI produced the alert Thursday and updated it today “to educate network defenders to enhance their ability to identify and reduce exposure to malicious activity.”
DHS and FBI characterize this activity as “a multi-stage intrusion campaign by Russian government cyber actors who targeted small commercial facilities’ networks where they staged malware, conducted spear phishing, and gained remote access into energy sector networks.”
After obtaining access, the Russian government cyber actors conducted network reconnaissance and collected information relevant to industrial control systems.
Since at least March 2016, Russian government cyber actors, called “threat actors,” have targeted government entities and multiple U.S. critical infrastructure sectors, including nuclear power plants. There are 61 commercially operating nuclear power plants with 99 nuclear reactors in 30 U.S. states.
DHS used the Lockheed-Martin Cyber Kill Chain model to analyze, discuss, and dissect malicious cyber activity. Phases of the model include reconnaissance, weaponization, delivery, exploitation, installation, command and control, and actions on the objective.
This campaign identifies two distinct categories of victims – staging and intended targets. The initial victims are peripheral organizations such as trusted third-party suppliers with less secure networks, referred to as staging targets.
The threat actors used the staging targets’ networks as pivot points and malware repositories when targeting their final intended victims.
The FBI and National Cybersecurity and Communications Integration Center conclude that the ultimate objective of the hackers is to compromise organizational networks, the intended targets.