The United States Computer Emergency Readiness Team (US-CERT) published the results of a joint investigation by U.S. Department of Homeland Security (DHS) and Federal Bureau of Investigations (FBI) experts. The report provides information on a targeted (APT) attack on government entities and organizations in energy, nuclear, aviation, and other sectors. The attackers were interested in documents on industrial processes in targeted organizations.
The APT attack is a multistage campaign to penetrate well-protected systems and networks of critical infrastructure entities. The attackers carefully selected their targets and adapted the attack scenario to each company’s operations. According to the report, the threat actors conducted open-source reconnaissance of targeted organizations, gathering information posted on company-controlled websites. Phishing emails with attachments containing links to web servers controlled by the attackers were used as the main attack vector.
As a rule, the threat actors first attacked less secure networks of third-party companies that are in one way or another connected with the organizations of interest to the attackers (these companies are referred to as staging targets in the report). After gaining access to the IT infrastructure of a staging target, the attackers used this access to collect information on the main targets (referred to as intended targets). They also used staging targets’ infrastructure to attack intended targets.
One of the ways in which the attackers used compromised accounts was to authenticate on corporate email access portals and send phishing emails on behalf of victim companies’ employees, as well as to infect the websites of attacked companies and use them in watering hole attacks. According to US-CERT, the subject matter of half of the compromised corporate websites had to do with ICS or critical infrastructure objects.
Importantly, the body text an attachment names in phishing emails were chosen to match the operations of the company and the type of work performed by the employee to whose address they were sent. For example, some of the messages identified by researchers were disguised as contract information and mentioned industrial equipment and protocols. In other cases, emails contained job search information for industrial control system personnel.
At different stages in the attack, the threat actors used a technique based on requesting documents from a remote server using the Server Message Block (SMB) protocol. When sending a request to retrieve a file via SMB, data sent by Windows to the remote server includes user name and password hash. The attackers used hash cracking techniques to gain access to attacked users’ accounts.
A similar technique was used to harvest employees’ authentication data in the process of gaining access to a company’s workstations. After gaining access to a system, the attackers planted specially crafted shortcut (.lnk) files on the computer. Default Windows functionality enables shortcut icons to be loaded from a remote location. The attackers used this to set the icon path to their remote controlled server. As a result, when the user browsed to the directory containing the shortcut, Windows initiated an SMB authentication session in an attempt to load the icon from the remote server, providing the attackers with the user’s credentials.
After compromising a system, the attackers installed a set of tools on the machine. Some of the tools are publicly available and were downloaded from publicly available locations. The attackers also used various scripts. One of the scripts found by the researchers created a new user account with administrator privileges in the system and configured the system to be remotely managed by that user account via RDP. Curiously, to add the new user to the administrators group, the script contained hard-coded values for the group name “administrator” in Spanish, Italian, German, French and English.
Known tools used by the attackers included:
- Hydra – a tool used to attack passwords for various authentication protocols;
- SecretsDump – a tool used to get saved and cached Windows accounts;
- CrackMapExec – a tool used to conduct various attacks in Windows systems.
In some cases, the threat actors installed Forticlient applications to provide remote VPN access to the infected systems. On one of the systems, the investigators found ScreenUtil – a tool is used to make screenshots on the machine without the user’s knowledge.
According to US-CERT, the campaign is still ongoing.
US-CERT has published indicators of compromise and some recommendations on detecting this attack.
YARA rules have also been published. However, according to experts, the rules published by US-CERT contain errors. Florian Roth, a researcher from CSS (Center for Security Studies at ETH Zurich), has published a corrected version of the YARA rules in his weblog.