In what is an unusual move by the FBI and DHS, CERT released a security bulletin saying that attackers were going after government entities and critical infrastructure and had been doing so at least since May.
They said this is a multi-stage attack, going after low security and small networks and then moving inside those networks to attack other higher value assets.
Since at least May, the attackers have been going after critical targets like energy, water, aviation, nuclear and critical manufacturing. In addition, they are also targeting government entities.
The attacks start by going after “staging targets” – possibly suppliers or other vendors with less secure networks and use those compromised networks to target the ultimate target.
Using the standard cyber kill chain attack model, there are five phases to the attack:
- Reconnaissance – gather information on the organization and potential weaknesses of, in this case, specific, targeted organizations.
- Weaponization – use spear phishing emails (in this case) get into the target’s organization
- Delivery – Once inside the organization, use the beach head they have created to create a persistent base for further attacks.
- Exploitation – Once the beach head is established, use the base to exploit the organization – such as stealing credentials.
- Installation – Now that the network is fully compromised, download additional tools to expand the attack and use that company to launch attacks against other companies.
The FBI admitted, with no details, that some of the attacks have been successful. The fact that they are issuing a very public announcement as opposed to a much quieter memo, say via Infragard, says that (a) the attacks have been more successful than they might want to admit, (b) that the attacks are going after smaller, less sophisticated organizations that have less sophisticated defenses and (c) the attacks are ongoing.
This means that organizations need to be on higher alert than they might be otherwise. To steal a term from the Department of Defense, if your organization was at Defcon 4 before (the second LOWEST level of alert), now might be a good time to go to Defcon 3 or 2 (the second highest level of alert).
The bulletin provides specific IOCs (indicators of compromise) for each target industry segment.
If you need assistance, please contact us.
Information for this post came from CERT.