The US Dept. of Homeland Security’s Computer Emergency Readiness Team (CERT) issued the Alert (TA17-293A) Advanced Persistent Threat Activity Targeting Energy and Other Critical Infrastructure Sectors on Friday 10/20/17, warning CNI firms (esp. nuclear power and other energy providers, water, aviation, and critical manufacturing sectors) that they are at increased risk of “highly targeted” staged attacks by the Dragonfly APT group, which may attempt to gain operational control for data exfiltration. Two senior Virsec Systems experts offer perspective on the threat and CERT response. IT security experts commented below.
“While the DHS warnings are warranted, their specific security recommendations are inadequate. The security mindset of watching for anomalies at the perimeter often becomes the equivalent of closing the barn door after the horses have bolted. Perimeters are inevitably porous, and the air-gaps that many ICS systems were designed around have disappeared. Our security focus needs to shift from the network perimeter to the applications themselves. By closely monitoring application flows, processes and memory, you can spot unusual behavior at the source and take action faster and more surgically, before damage occurs or spreads.”
Edgard Capdevielle, CEO at Nozomi Networks:
“The latest alert by DHS on the Dragonfly APT confirms the risk that this advanced persistent threat (APT) continues to pose to critical infrastructure operators and manufacturers. One dimension of defence is that the attacks take time and use multiple approaches to gain information, access and data exfiltration capabilities. If system irregularities can be detected during these phases, the attack can be stopped before valuable information is stolen or processes are disrupted. Passive ICS monitoring solutions that detect communication and process variable anomalies, check for malware signatures using YaraRules and SNORT (recommended by DHS) and aggregate and correlate the results, provide fast detection of threats like Dragonfly plus the information needed to stop and mitigate its impacts.”
Kevin Livelli, Director of Threat Intelligence at Cylance:
“The warnings from the US government are new, but researchers at Cylance have been tracking this threat actor and its operations for years, watching a sustained campaign evolve and its list of targets lengthen and reach across the globe. We believe the group responsible is the same one known within the security community by the names “Energetic Bear,” “Crouching Yeti,” and “Dragonfly,” and which in recent months has been identified by the US government as likely tied to the Russian military and civilian intelligence services.
“After this threat actor’s operations were initially exposed in 2013 and 2014 in a series of widely discussed research reports, Cylance observed the campaigns go dark for a period of about a year, during which time we believe the group was retooling. Then, beginning in 2015 – before US energy companies became a target – energy companies, both nuclear and oil, in other countries were similarly compromised. It has already been reported that facilities in Ireland and Turkey were among them. But Cylance research has uncovered additional targets from the same time period, the most notable of which is a large mining and power company in Kazakhstan.
“More recently, our researchers at Cylance have discovered that a core Cisco router relied upon by one of Vietnam’s largest oil rig manufacturers was compromised by the same threat group in an endeavour to harvest credentials that were later used to successfully compromise a handful of energy companies in the UK. This is a serious and worrisome discovery, since once exploited, vulnerabilities in core infrastructure like routers are not easily closed or remediated. While the end goals of these campaigns can only be speculated upon, their very existence across an array of power companies in several countries should be of great concern to governments, the companies themselves, and all those who rely upon their critical services.”
Atiq Raza, CEO at Virsec Systems:
“These threats highlight an increasing risk. Rather than directly attacking high security networks, hackers are doing careful reconnaissance of connect third-parties, staging servers or watering holes for insiders. Once hackers steal credentials, or finds a less secure backdoors they can quickly pivot to more secure servers, bypassing traditional network perimeter security. IT security needs to assume the perimeter is porous and focus more directly on guarding sensitive applications and data.”