Cyber-wargames between the US and Russia: US infrastructures under attack from Moscow since 2016. We read the information released on March 15 by the Department for National Security.
The cyber-war between the US and Russia takes a leap. We propose a summary of the technical alert issued on March 15 by US-CERT (body operating within the Department for National Security), relating to the Russian cyber-warfare campaign against the United States since 2016. The report, quite detailed, portraits a disturbing picture. We are facing a large-scale cyber-war operation that was being run for several months, with the US energy grid as a primary target. The damages caused to the American infrastructures are, at least in economic terms, very significant.
The document speaks of an actual threat, capable of hitting critical sectors such as nuclear energy and water supply. The report points out two facts: the first is that the attack was certainly originated from Moscow; the second is that it was a deliberate and highly coordinated cyber-war operation, with the initial objective of gathering information about the US energy grid IT system.
The hackers first targeted the LANs of small commercial structures through SPEAR phishing (Sophisticated Penetration, Exploitation, Analysis, and Response). From these, through the use of malware, they have obtained remote access to the energy networks. Later on, Russian cyberspies conducted a series of reconnaissances across all US telematic networks, in order to gather information on the American industrial control systems. These cyber-war operations lasted for almost two years.
How the threat was analyzed
In order to analyze and dissect the malicious cyber-activity described in the document, the Lockheed-Martin Cyber Kill Chain model was used. The cyber attack is represented by breaking it down into a series of phases in a chronological sequence:
- reconnaissance
- weaponization
- delivery
- exploitation
- installation
- command and control
- actions on the objective
Patrol
In the reconnaissance phase, the hackers pick the organizations to be targeted. The cyberpirates have gathered information on the targets’ networks and their defense systems. This is a commonly used tactic in spear-phishing cases. Information published on company websites, especially those that seem harmless, may contain very useful ideas from the hacker’s perspective.
Weaponization
Subsequently, the perpetrators conducted a SPEAR-phishing campaign, making use of e-mail attachments to steal core documents present from the targets. In this case, a Windows’ vulnerability, known as Redirect to SMB, was exploited. This is a typical man-in-the-middle attack: trick users into clicking on a link that causes their browser to authenticate with a remote SMB server controlled by an attacker.
In the average phishing version of this attack, a user receives a message that contains a malicious URL. Windows will interpret requests to these URLs as requests to the remote SMB server, and unless securely configured, will attempt to connect and authenticate with the SMB server as the current user.
This means a vulnerable application, despite having no access to the current user’s credentials, can lead to an authentication attempt with an SMB server controlled by an attacker. For most configurations, these authentication requests will be encrypted, but the supported encryption methods are far from state of the art.
An unsophisticated attacker would be capable of recovering most passwords in a few hours or days depending on available hardware, even in some cases where password policies are applied. These recovered credentials could then be used to authenticate with the victim’s computer or domain.
At this point, the attack continued with the watering hole technique. It consists in infecting a certain service or website and waiting for the designated targets to be infected by the malware when they access this service or site. In particular, the hackers have modified JavaScript and PHP files that make image requests (often icons) for some websites commonly visited by victims, using the SMB protocol from an IP address under their control.
Delivery
The delivery phase consisted of a further spear-phishing operation. The targets were sent an e-mail titled “AGREEMENT & Confidential” and containing a PDF file called “document.pdf. The document, in turn, contained a shortened URL that took users to a website. The e-mail address and password were requested from the user himself.
Exploitation
In the so-called exploitation phase, the threat actors used malicious Docx files to capture users’ credentials. As in the previous phases, these docx documents allowed cybercriminals to seize other files via Redirect to SMB.
Installation
At this point, the attackers already created accounts of local administrators within the target systems and have deployed malicious files. The expedient in this case was also simple: the activation of a line inside an apparently harmless JSP page “symantec_help.jsp”, that runs a native script named “enu.cmd”, designed to create local root accounts and reconfigure the firewall to allow remote access.
Command and control
The threat actors commonly created web shells on the intended targets’ publicly accessible email and web servers.
What were the hackers looking for?
The US-CERT document illustrates the objectives pursued by the cyber-war actors once they have taken control of the target systems. In many cases, pirates had access to the file servers containing sensitive data of energy plants’ control systems. In multiple instances, the threat actors accessed workstations and servers on a corporate network that contained data output from control systems within energy generation facilities. The threat actors accessed files pertaining to ICS or supervisory control and data acquisition (SCADA) systems.
Based on DHS analysis of existing compromises, these files were named containing ICS vendor names and ICS reference documents pertaining to the organization (e.g., “SCADA WIRING DIAGRAM.pdf” or “SCADA PANEL LAYOUTS.xlsx”).
All the profile and configuration information to access the SCI systems on the network have been copied, as well as the Virtual Network Connection (VNC) profiles containing configuration information about access to the ICS systems. Here, for example, is one of the interfaces accessed by the actors of the attack.