APT Alert for Critical Infrastructure Reinforces Need to Secure High Value Assets

Critical infrastructure leaders need to prioritize and secure their highest value assets in cyberspace.  A new warning shows why.

Threat actors have been engaging in advance persistent threat campaigns in the energy, nuclear, water, aviation, construction, and critical manufacturing sectors since at least May 2017, the Department of Homeland Security and the FBI warned Oct. 20.

Securing high value assets is the theme of the 3rd Annual Billington CyberSecurity Summit.

DHS said the campaign is ongoing. The systems affected by this campaign are domain controllers, file servers and email servers.  In DHS’ assessment, threat actors are engaging in a multi-stage intrusion campaign targeting low security and small networks, such as supply chains, to gain access and move laterally to the networks of major, high value assets within the energy sector.

The Alert (TA17-293A) identifies tactics that include open-source reconnaissance of their targets, gathering information posted on company-controlled websites. The alert gave this example: “As an example, the threat actors downloaded a small photo from a publicly accessible human resources page. The image, when expanded, was a high-resolution photo that displayed control systems equipment models and status information in the background.”

Additional tactics included spear phishing and watering holes.  The watering holes were frequently hosting “legitimate content by reputable organizations, the threat actors have altered them to contain and reference malicious content. Approximately half of the known watering holes are trade publications and informational websites related to process control, ICS, or critical infrastructure.”

Once on a victim’s network, the threat actors conducted reconnaissance operations within the network. Specifically, they focused on identifying and browsing information pertaining to Supervisory Control and Data Acquisition (SCADA) systems and control systems.

DHS and FBI list multiple steps network users and administrators should use to detect and prevent this kind of malicious threat.

In a related development, on Oct. 10, FireEye confirmed that it had detected and stopped spear phishing emails sent on Sept. 22, 2017, to U.S. electric companies by known cyber threat actors likely affiliated with the North Korean government.

Charles Carmakal, Vice President, FireEye’s Mandiant Consulting, in his keynote at the 8th Annual Billington CyberSecurity Summit, Sept. 13, said the U.S. has yet to encounter a catastrophic attack on critical infrastructure. The reason:  the threat actors with the capability don’t have the motivation to do so yet.  At the same time, the threat actors with the motivation, don’t have the capability.  But he warned: “Things may change.”

He pointed out that Industrial Control Systems are becoming more interconnected.  Unfortunately, he said, the cultures that operate ICS are change averse. “Often, they are running very old technology that can’t be patched.”

FireEye, in its release about the suspected North Korean spear phishing of US electric companies said, “The number of nation-states developing the capability to disable the operations of power utilities has increased in recent years. For North Korea, even limited compromises of power companies would probably be exaggerated and hailed as a victory by Pyongyang.”

The 3rd Annual International Billington Cybersecurity Summit, takes place March 21, Washington, D.C., The theme is “Securing High Value Assets in Cyberspace.”