Advanced persistent threat activity targeting energy and other critical infrastructure sectors

The US government has released a rare technical alert warning that hackers are ramping up their efforts to compromise systems across the energy, nuclear, water, aviation, and manufacturing sectors.

A new report from the Department of Homeland Security and the FBI confirms a “multi-stage intrusion campaign” is being conducted by threat actors targeting low security and small networks in order to gain access and move laterally to major, high-value networks in the energy sector.

Based on malware analysis and observed indicators of compromise, DHS said the advanced persistent threat (APT) is still ongoing, and that hackers are “actively pursuing their objectives of a long-term campaign”.

“Since at least May 2017, threat actors have targeted government entities and the energy, water, aviation, nuclear, and critical manufacturing sectors, and, in some cases, have leveraged their capabilities to compromise victims’ networks,” DHS said.

“Historically, cyber threat actors have targeted the energy sector with various results, ranging from cyber espionage to the ability to disrupt energy systems in the event of a hostile conflict.”

According to DHS, the threat actors are employing a variety of tactics, techniques, and procedures in order to gain access to high-value systems, including open-source reconnaissance, spear phishing emails, watering-hole domains, host-based exploitation, and industrial control system targeting.

“The threat actors appear to have deliberately chosen the organizations they targeted, rather than pursuing them as targets of opportunity,” DHS stated.

“Upon gaining access to intended victims, the threat actors conducted reconnaissance operations within the network. Specifically, the threat actors focused on identifying and browsing file servers within the intended victim’s network.”

In one instance, the threat actors accessed workstations and servers on a corporate network that contained data output from control systems within energy generation facilities, said DHS.

“This APT actor’s campaign has affected multiple organizations in the energy, nuclear, water, aviation, construction, and critical manufacturing sectors.”

The 16-page technical alert is intended to help educate network defenders and enable them to identify and reduce exposure to malicious activity.

DHS said it encouraged those who could identify the use of tools or techniques discussed in its alert to report their information to law enforcement immediately.