Russia Cozy Bear CrowdStrike

FBI, DHS warn Russian Dragonfly Group Still Targeting US Critical Infrastructure

The Department of Homeland Security and the FBI on Thursday warned that the so-called “Dragonfly” hackers linked to the government of Russia are engaged in a “multi-stage intrusion campaign” against U.S. critical infrastructure, including the energy, nuclear, aviation and manufacturing sectors. 

In a joint Technical Alert, the two agencies said that the campaign dates back to “at least” March 2016 and involves multiple U.S. critical infrastructure sectors. Firms were targeted with spear phishing emails, watering-hole web site attacks and more, with hackers compromising and then conducting reconnaissance on victims’ networks.

Russia Cozy Bear CrowdStrike
DHS and FBI issued a joint alert about Russian intrusions into US critical infrastructure. (Image courtesy of CrowdStrike)

The announcement came on the same day that the U.S. Treasury Department announced expanded sanctions on Russian “cyber actors” for attacks on the U.S. Elections and other cyber attacks including the release of the NotPetya malware in June 2017, an act that both the U.S. and U.K. governments attributed to Russia.

“The attack resulted in billions of dollars in damage across Europe, Asia, and the United States, and significantly disrupted global shipping, trade, and the production of medicines. Additionally, several hospitals in the United States were unable to create electronic records for more than a week,” Treasury said in its statement.

The Joint Technical Alert, released in concert with the sanctions, included packages of indicators that would help owners and operators of critical infrastructure detect the presence of the foreign hackers on their network.  They include information on the malware used in the attacks as well as examples of phishing email and attack websites.

According to the Alert, Russian government actors targeted “small commercial facilities” in sectors like energy, nuclear, commercial facilities, water, aviation, and critical manufacturing.

Analysis by DHS and FBI suggested the group was the same as the so-called “Dragonfly”  hacking group that Symantec linked to attacks on Western energy firms in September and October of last year.

According to the alert, the campaigns initially targeted third party suppliers to the ultimate targets. Those firms, often small, had less secure networks before “pivoting” to the ultimate target.

Among the spear phishing emails were apparent job applications claiming to come from professionals with knowledge of industrial control system software by Siemens, Rockwell and others. Attachments claiming to be resumes would then steal the credentials of the target, giving the attackers access to the victim’s network.

Once compromised, the smaller firms’ websites were used as watering holes to attract and attack employees from the primary target, DHS said in its Alert.

The ultimate objective of the attackers was to compromise industrial control system (ICS) and SCADA systems used to manage and operate machinery and other critical infrastructure. FBI observed the threat actors accessing workstations and servers on a corporate network that contained data output from control systems within energy generation facilities.

The hackers also accessed files pertaining to ICS or supervisory control and data acquisition (SCADA) systems. Often, those files were named containing ICS vendor names and ICS reference documents pertaining to the organization like wiring diagrams and so on.

The threat actors were also observed copying profile and configuration information for accessing ICS systems on the network. DHS observed the threat actors copying Virtual Network Connection (VNC) profiles that contained configuration information on accessing ICS systems.

The firm Dragos Security, which testified before the Senate Committee on Energy and National Resources earlier this month, has identified no fewer than five groups globally targeting ICS systems – most affiliated with governments like Russia, Iran and China.

[ Listen to Podcast Episode 87: Vulnerability Reports Down the Memory Hole in China and the Groups Hacking ICS ]

In an interview with Security Ledger on our recent Podcast, Joe Slowick of Dragos said that hot spots for critical infrastructure hacks often concentrate in geopolitical hotspots including the Ukraine, the Middle East and Asia

“There’s no financial gain to be had from any of these items, so that weeds out cyber criminal groups right away,” said Slowick an adversary hunter at Dragos. While attribution is often difficult, nation state actors like Russia are those who are most likely to have an interest in compromising industrial control networks.