Critical Infrastructure Attacks Ongoing

Monday, July 10, 2017 @ 05:07 PM gHale

While they have been going on for a little bit, attacks gaining news lately focused on energy facilities in the U.S. used an approach called template injection, researchers said.

While attacks against energy companies like nuclear plants are nothing new, they did garner some attention when The New York Times obtained a joint report issued by the Department of Homeland Security and the FBI warning of cyberattacks targeting manufacturing plants, nuclear power stations and other energy facilities in the U.S. and elsewhere.

Ransomware Attack Part II
WannaCry Shuts Honda Plant
‘Hidden Cobra’ Warning Issued by Feds
ICS Malware Linked to Grid Attack

The attacks hit the business and administrative side of systems at least a dozen power firms in the United States, including the Wolf Creek nuclear facility in Kansas.

The campaign has been active since at least May and an initial investigation showed the techniques used by the hackers were similar to ones associated with a Russia-linked threat actor tracked as Crouching Yeti, Energetic Bear and Dragonfly, according to the FBI/DHS report the Times obtained.

“The U.S. has to assume that all parts of critical infrastructure are being probed for vulnerabilities 24 by 7 from a risk management point of view,” said Andrea Carcano, co-founder and chief product officer at Nozomi Networks said. “While Information Technology (IT) and Operation technology (OT) that control the electric grid systems and other critical infrastructure are separated, there have been increasing connections that warrant the use of real-time anomaly detection and machine learning. Risk management is an ongoing process. Up to date patching and the use of artificial intelligence and machine learning helps to harden the security that guards industrial control systems.”

The FBI/DHS alert said the attackers sent malicious emails to senior industrial control engineers in an effort to deliver malware designed to harvest credentials and allow them to access the targeted organization’s network.

Researchers at Cisco Talos viewed these attacks and found some of the malicious Word documents used by the hackers to gain access to the targeted organization’s network. The attacks focused on critical infrastructure firms around the world, but the primary targets appear to be the United States and Europe.

The malicious documents, disguised as resumes and environmental reports, don’t rely on traditional methods, such as VBA macros or other embedded scripts, to deliver malware, the researchers said. Instead, when the victim opens the phony document, while the Word application is in progress of launching, a template file is loaded from an attacker-controlled SMB server.

Loading the template file in what is known as a template injection attack allowed the attackers to silently harvest SMB credentials.

Leave a Reply

You must be logged in to post a comment.