Russian government cyber activity has targeted U.S Government entities, energy and other critical infrastructure sectors. The activity has been active since at least March 2016, according to a US-CERT Technical Alert (TA).
The TA is the result of a joint effort between the the Department of Homeland Security (DHS) and the Federal Bureau of Investigation (FBI) and includes details on distinct indicators of compromise (IOCs) and behaviors related to the cyber activity used to compromise victim networks.
The campaign includes two distinct categories of victims – staging and intended targets.
The threat actors initially target third party suppliers dubbed “staging targets” with less secure networks. The actors then use the staging targets to pivot to their intended targets, such as U.S. critical infrastructure sectors.
Victims include the energy, nuclear, commercial facilities, water, aviation, and critical manufacturing sectors.
“DHS and FBI characterize this activity as a multi-stage intrusion campaign by Russian government cyber actors who targeted small commercial facilities’ networks where they staged malware, conducted spear phishing, and gained remote access into energy sector networks. After obtaining access, the Russian government cyber actors conducted network reconnaissance, moved laterally, and collected information pertaining to Industrial Control Systems (ICS),” according to the alert.
The DHS and FBI analysis also refers to the previous Dragonfly report, published by Symantec back on October of 2017. In that report, Symantec describes how a sophisticated attack group has been targeting Western energy sector since December 2015.
It is important to review the Lockheed-Martin “Cyber Kill Chain” model technical analysis used in the TA to help dissect the malicious activity. The phases/stages of the attack include: 1) Reconnaissance, 2) Weaponization, 3) Delivery, 4) Exploitation, 5) Installation, 6) command and control and 7) actions on the objective.
Quite a few general best practices have been provided to mitigate the threat. For example, network administrators should prevent external communication of all versions of SMB and related protocols at the network boundary by blocking TCP ports 139 and 445 with related UDP port 137.
Also, administrators should block the Web-based Distributed Authoring and Versioning (WebDAV) protocol on their border gateway devices on the network. Many more best practice examples were included in the alert.
See the full TA (TA18-074A) advisory for much more details and technical analysis of the threat.