Full Report
US-CERT has published a report on a targeted (APT) attack on government entities and organizations in energy, nuclear, aviation and other sectors. The attackers were interested in documents on industrial processes in targeted organizations.
Analysis Summary
# Incident Report: APT Campaign Targeting US Critical Infrastructure
## Executive Summary
A sophisticated APT group targeted government entities and organizations within the energy, nuclear, water, and aviation sectors to gather sensitive data on industrial processes. The campaign utilized multi-stage spear-phishing and "watering hole" attacks to harvest credentials and gain long-term access. The primary outcome was systemic reconnaissance and the theft of industrial control system (ICS) documentation.
## Incident Details
- **Discovery Date:** Approximately mid-2017
- **Incident Date:** May 2017 – Late 2017 (Active campaign period)
- **Affected Organization:** Multiple undisclosed entities
- **Sector:** Government, Energy, Nuclear, Aviation, and Manufacturing
- **Geography:** United States
## Timeline of Events
### Initial Access
- **Date/Time:** May 2017
- **Vector:** Spear-phishing and Strategic Web Compromise (Watering Hole)
- **Details:** Attackers sent emails containing malicious attachments or links to "watering hole" domains (legitimate websites compromised by the attackers) frequented by employees in the energy sector.
### Lateral Movement
- Once initial credentials were harvested via SMB (Server Message Block) credential sniffing, the attackers used valid accounts to navigate the corporate network (IT) looking for connections to the industrial control environment (OT).
### Data Exfiltration/Impact
- The attackers focused on collecting "screen captures" of Human Machine Interfaces (HMI) and stealing documents related to industrial processes, schematics, and personnel information.
### Detection & Response
- **Discovery:** Identified through collaborative intelligence between US-CERT, DHS, and private security firm telemetry.
- **Actions:** US-CERT released Technical Alert TA17-293A to provide signatures and mitigation strategies to stakeholders.
## Attack Methodology
- **Initial Access:** Spear-phishing attachments (Word docs) and malicious links; Watering hole attacks on trade publications.
- **Persistence:** Creation of local administrative accounts after acquiring credentials.
- **Privilege Escalation:** Use of Mimikatz-style credential harvesting and exploiting internal configuration weaknesses.
- **Defense Evasion:** Use of legitimate compromised third-party accounts to send emails; clearing Windows Event Logs.
- **Credential Access:** Forcing SMB authentication to capture NTLM hashes; phishing for login portals.
- **Discovery:** Scanning for industrial-related file extensions (.zip, .pdf, .docx, and specialized ICS files).
- **Lateral Movement:** Utilizing RDP (Remote Desktop Protocol) and valid administrative credentials.
- **Collection:** Taking screenshots of HMI/SCADA systems; staging documents in archived folders.
- **Exfiltration:** Standard web protocols and potentially encrypted channels to move data to command-and-control (C2) servers.
## Impact Assessment
- **Financial:** Not disclosed, though forensic remediation costs for critical infrastructure are typically high.
- **Data Breach:** High-volume theft of sensitive technical documentation regarding the layout and operation of power plants and refineries.
- **Operational:** No reported physical disruption (blackouts/shutdowns), but the reconnaissance provided the "blueprint" for future potential sabotage.
- **Reputational:** Increased public and governmental concern regarding the vulnerability of the national power grid.
## Indicators of Compromise
- **Network Indicators:**
- [hxxp]://frashta[.]com/check[.]php
- [hxxp]://core-mkt[.]com/images/ping[.]php
- [192[.]168[.]xxx[.]xxx] (Internal staging IPs)
- **File Indicators:** Malicious .LNK files; template-injection Word documents.
- **Behavioral Indicators:** Unusual SMB outbound traffic to external IPs; RDP sessions occurring outside of normal business hours between IT and OT segments.
## Response Actions
- **Containment:** Disabling compromised user accounts and resetting passwords across the enterprise.
- **Eradication:** Removal of persistent web shells on compromised watering hole servers and local backdoors.
- **Recovery:** Restoring systems from known-good backups and implementing enhanced monitoring on ICS/SCADA gateways.
## Lessons Learned
- **Trust Architecture:** Attackers leveraged "trusted" third-party relationships (contractors/suppliers) to bypass perimeter defenses.
- **Air-Gapping Reality:** The "air gap" between IT and OT is often porous, allowing attackers to move from an office email account to a control room interface.
## Recommendations
- **Multi-Factor Authentication (MFA):** Enforce MFA for all remote access, especially RDP and OWA.
- **SMB Filtering:** Block outbound SMB (Ports 139/445) to the internet to prevent credential harvesting.
- **Network Segmentation:** Implement strict firewall rules between the corporate (IT) network and the industrial (OT) network.
- **User Training:** Strengthen phishing awareness programs specifically for employees with access to critical infrastructure.