On October 20, U.S. Cert issued Alert TA17-293A ( see Alert (TA17-293A) Advanced Persistent Threat Activity Targeting Energy and Other Critical Infrastructure Sectors ) based on joint analysis between DHS and the FBI, that warned of APTs against government entities and organizations in the energy, nuclear, water, aviation, and critical manufacturing sectors.
This came as no surprise to most industry observers, as threat intelligence firms such as CrowdStrike and Symantec have been alerting on similar activity since last July.
But some of the threat intelligence data I have seen certainly gave me pause as long-followed threat actors have been clearly stepping up their APT activity since the start of 2017 across multiple sectors. For example, CrowdStrike has been following a group they refer to as BERSERK BEAR since 2014, and reported this actor’s stepped up concentrated activity throughout 2017 across the energy, financial, defense infrastructure base, government, and transportation sectors.
Diskin Advanced Technologies (DAT) based in Israel, similarly noticed highly organized global threats against several industrial sectors, including the energy sector (See Figure 1). DAT thinks the activity could be an outcome of an adversary’s detailed mapping of the targeted energy companies’ managed services and supply chain, which would be used as their attack vectors.
Figure 1: Targeted sectors and countries in highly organized and advanced threat campaign against critical infrastructure; Source Diskin Advanced Technologies
Several different threat actors and groups – some seemingly more organized and advanced than others — are targeting the energy sector. Symantec identified threat actor DragonFly as busily targeting the energy sector (see Dragonfly: Western energy sector targeted by sophisticated attack group ). DAT found that five other energy-sector related campaigns published under the names of Shamoon, Magic Hound, APT33 New Beef, and Stonedrill were correlated to the same threat actors’ activities, and that they crossed Iranian, Chinese and other hacker forums.
It’s crystal clear the energy and adjacent sectors are being heavily targeted, and it seems at least two separate highly methodical nation state actors have their sights on these sectors, especially in Europe, the U.S., South Korea, Russia, India, the UAE and Australia. The different threat actors are targeting different countries. What these actors are doing is not clear, but I think it’s safe to assume they are heavily engaged in reconnaissance activities that could lead to subsequent steps in the kill chain.
What can be done?
There is no shortage of technology solutions to ward off these attacks, provided organizations align their processes and priorities to implement and manage them.
I was in Boston yesterday and saw some innovative approaches towards endpoint security, which models or maps “GOOD” applications and processes running on endpoints, so that anything not on the “GOOD” list is an exception that organizations must explicitly take note of and act on accordingly. These solutions, offered by startups Digital Immunity (that maps good applications and processes within an organization for validation) and Barkly Protects (that uses machine learning to model “good” applications within an organization along with “bad” applications across organizations) should make sound security practices – conceptually similar to application whitelisting — easier to implement.
Organizations of all sizes and across all sectors must be vigilant, as these state actors cross many sectors in their efforts. The same platforms and techniques they use to attack the energy sector are used to attack the healthcare, transportation, aviation, utilities, and chemical sector, just to name a few. Criminals are time stretched like the rest of us, and when they find a technique that works, they repeat it as often as possible.
U.S. Cert’s Alert includes actionable IOCs, network signatures, host based rules and other detailed pattern information that can be inserted into organizational security systems to block these nefarious efforts. They should go a long way to stopping this threatening activity, at least for now.
Surely no one needs to be left in the dark.
Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.