On March 15, 2018, the Department of Homeland Security (DHS) and the Federal Bureau of Investigation (FBI) released a joint Technical Alert on Russian government cyber activity targeting organizations in the energy, marine, aviation and other manufacturing sectors.
This DHS & FBI Technical Alert seeks to educate network defenders and enhance their ability to identify and reduce exposure to malicious activity by providing a thorough walkthrough on how an organization’s cybersecurity becomes at-risk and recommendations for detection and prevention. DHS and FBI characterized these cyber activities as a “multi-stage intrusion campaign by Russian government cyber actors” to access an organization’s network control.
Stage 1 of the campaign is reconnaissance. Cyber actors deliberately select “staging targets”, organizations that hold preexisting relationships to the intended targets, by accessing publicly available information. Using what appears to be innocuous information, such as a small photo from a human resources page, the cyber actors can gather operationally sensitive information to initiate the next stage of their attack.
Stage 2 of the campaign is weaponization. Using compromised information from vulnerable staging targets, cyber actors develop targeted spear-phishing emails or watering hole domains to formulate their attack against the intended targets.
Stage 3 is delivery. Cyber actors used spear-phishing emails that, for example, contained a generic contract agreement theme (e.g. “AGREEMENT & Confidential”) and a generic PDF document titled ``document.pdf (note in particular the two back hashes as a sign of a potentially harmful document). The PDF is not malicious and does not contain any active code. Rather, the document had a shortened URL that, when clicked, led users to a website that prompted the user for their email address and password. Cyber actors have also used, and continue to use, spear-phishing emails to target industrial control systems personnel to gain access to critical network controls.
Stage 4 is exploitation. By using distinct and unusual tactics, techniques, and procedures, cyber actors exploit vulnerable staging targets. For instance, emails would contain successive redirects, with an ultimate redirect to a website that contained input fields for an email address and password that mimicked a login page for a website. Another commonly used tactic to capture user credential is through malicious .docx files. These files are connected to a command and control server, usually owned by cyber actors, and prompts users to authenticate access to the domain with their username and password.
Stage 5 is installation. Once cyber actors have gained compromised credentials to access a victim’s network, they create local administrator accounts within the staging target network and begin placing malicious files within the intended targets. While inside, cyber actors incorporate password cracking and downloader tools to harvest as much information as possible within the intended target. Cyber actors can also manipulate LNK files, commonly known as a Microsoft Window’s shortcut file, to repeatedly gather user credentials.
Stage 6 is the command and control phase where cyber actors create web shells on the intended target’s publicly accessible email and web servers. These serve as templates to further infiltrate the intended target’s networks.
Stage 7 is actions on objectives. Once cyber actors controlled the infrastructure of staging targets, they leverage remote access services and programs such as VPN, RDP, and Outlook Web Access to connect to the intended targets. Upon gaining access to the intended targets, cyber actors begin internal reconnaissance and siphon sensitive information using various scripts and commands. To avoid detection, cyber actors create new accounts to perform cleanup operations to cover their tracks, making any responses to ongoing attacks more difficult.
To prevent these cyber-attacks, DHS and FBI recommend network administrators to review IP addresses, domain names, files hashes, and YARA/Snort signatures provided to watch when malicious activity is occurring within their organization. Reviewing network perimeter netflow will also help determine whether a network has experienced suspicious activity. A full list of preventative measures can be found in the joint Technical Alert.