The United States Department of Homeland Security (DHS) and the Federal Bureau of Investigation (FBI) have issued a warning that malicious hackers are actively targeting government departments, and firms working in the energy, nuclear, water, aviation, and critical manufacturing sectors.
The warning, sent via email to energy and industrial firms late on Friday, reveals that hacking groups have been targeting critical infrastructure since at least May 2017, and "in some cases", have successfully compromised victims' networks.
As is becoming increasingly common, the initial organisations targeted by the attacks are trusted third party suppliers to the hackers' intended quarry.
These "staging targets" provide a pivot point and malware repository that can be used by the hacking group to increase their chances of successfully compromising their intended target - the network of the organisation working in the energy sector or other critical infrastructure.
According to the DHS, the campaign is still ongoing as the (most likely) state-sponsored attackers pursue their ultimate objective - whether that be to spy, to conduct open source reconnaissance, or disrupt energy systems in the event of conflict.
This latest wave of attacks is believed to be the latest assault orchestrated by the Dragonfly hacking group, that has previously been said to have targeted more than 1000 companies in the European and North American energy industry.
One of the techniques being used in the attacks, according to the report, are spear-phishing emails that can help reveal a recipient's password:
Throughout the spear-phishing campaign, threat actors used email attachments to leverage legitimate Microsoft Office functions to retrieve a document from a remote server using the Server Message Block (SMB) protocol. (An example of this request is: file[:]///Normal.dotm). As a part of the standard processes executed by Microsoft Word, this request authenticates the client with the server, sending the user’s credential hash to the remote server prior to retrieving the requested file. (Note: It is not necessary for the file to be retrieved for the transfer of credentials to occur.) The threat actors then likely used password-cracking techniques to obtain the plaintext password. Once actors obtain valid credentials, they are able to masquerade as authorized users.
In other attacks, a malicious attacker may send what appears to be a generic contract agreement in the form of a PDF. Although there is no malicious code in the PDF file itself, it prompts the reader to click a link which (via a shortened URL) downloads a malicious file.
To increase the chances that the PDF file is opened, emails and attachments may refer to legitimate CVs or resumés for industrial control systems personnel, or policy documents or invitations designed to entice users into clicking on the attachment.
Moving away from email, organisations are also being hit by "watering hole" attacks where legitimate websites have been compromised to contain malicious code. The DHS's report says that approximately half of the known watering holes are "trade publications and informational websites related to process control, ICS, or critical infrastructure."
Much more detail, including indicators of compromise, filenames used in the attacks, and MD5 hashes, can be found in the alert published on US-CERT.