On March 15 2018, the Department of Homeland Security (DHS) and Federal Bureau of Investigation (FBI) released a joint Technical Alert (TA) – TA18-074A providing information on Russian government actions targeting U.S. critical infrastructure organizations including energy, nuclear, water, aviation and critical manufacturing sectors. The TA includes the Indicators of Compromise (IOCs) and technical details on the tactics, techniques, and procedures (TTPs) used by Russian government cyber actors on compromised victim networks.
What can we learn from TA18-074A
According to the TA, the threat actors targeted small commercial facilities’ networks to stage malware and used a variety of TTPs including spear phishing, watering hole domains, open source and network reconnaissance, host-based exploitation and credential gathering to collect information pertaining to Industrial Control Systems (ICS).
The entry points were in the IT networks or trusted third parties with less secure networks. Through pivoting and lateral movement the threat actors were able to get to the ultimate objective, the ICS/SCADA network.
IT and OT Collaboration
This is a complex attack by a sophisticated set of threat actors with very clear objectives. To thwart this type of persistent attacker requires Enterprise/IT Security Operations Center and Operational Technology/ICS asset and network owners to collaborate and share information on what is being observed in both IT and OT networks.
Phishing Emails and Waterhole Domains
On the IT side, continuing to educate all employees about phishing emails, following up with regular drills to remind employees to stay vigilant are security best practices.
In this attack, we see the use of staging targets as watering holes. The staging targets were not the ultimate objective, but rather trusted organizations with weak security infrastructure that could be compromised. Once compromised, the staging targets were used for credential harvesting, same as the phishing emails. According to the TA, legitimate websites hosting ICS content were altered to contain and reference malicious content.
The threat actors leveraged compromised credentials to gain access into intended target networks which were not protected by multi-factor authentication.
Protecting VPN servers, and other internet accessible entry points using multi-factor authentication is a fundamental practice to prevent attackers from gaining entry into corporate networks.
Local Accounts, Domain Controllers
Once inside the staging networks, the threat actors created local accounts to maintain persistent presence. They used VPN access from the staging servers to the intended target servers. Registry modification, password cracking tools and internal reconnaissance to reach domain controllers, helped the attackers get from the point of entry to the ICS systems on the intended victim’s network.
Continuous Monitoring with Industrial Defender ASM
A sophisticated, multi-pronged long term attack such as this requires constant and continuous vigilance in both IT and OT networks. Automatically monitoring your environment for configuration changes and network changes is one way you can observe changes quickly and respond as required.
Industrial Defender ASM is a configuration and event monitoring solution for ICS environments. Customers using the ASM solution in their ICS environments can use its capabilities to look for TTPs known to be used by this and other threat actors.
Figure 1 - ASM Dashboard with widgets for ICS Monitoring
Following are some steps that users can take to stay vigilant:
- Update to latest SNORT signatures once we make them available for Industrial Defender NIDS
- Monitor ASM Event Management for the following:
- Identifying deleted logs: The attackers cleared logs as an evasive tactic and to cover their tracks. Ensure your Windows systems are running the ASM Audit Logs/ Logs Cleared Logical Rule. Review deleted logs by running a query from ASM Event Management for Metric Category = Audit Logs and Metric Name = Logs Cleared and the Asset Groups/Assets within scope.
Figure 2 - ASM Events Screen showing Audit Log Deletions (Windows Event ID - 104)
- Identify New Admin Accounts: The attackers established administrator and guest user accounts locally on compromised assets. Monitor for new user accounts added by tracking these events on the ASM dashboard. Periodically review the details of the User Accounts/ Users Added events in the ASM Event Management screens.
Figure 3 - ASM Event Metrics to track local user account changes
- Unusual Login Activity: Use ASM Event Management to monitor unusual login activity on endpoints and VPN servers. Additional business logic rules can be added to specify off-hours and create high priority alerts
- Monitor Asset Configuration Baselines using ASM Change Management:
- User Account Changes: ASM track changes to the asset baseline including any exceptions/deviations in local Administrator and User accounts. Stay alert to any new additions, deletions in local user accounts
- Installed Software Changes: Attackers downloaded additional software, such a VPN client and Python packages. Use ASM to track changes in installed software.
Figure 4 - ASM Change Detection Screen Showing changes to Installed Software
- Firewall Policy Changes: The threat actors de-activated local firewalls as they were moving laterally within the intended target networks. ASM Change Management tracks the firewall policies configured on the endpoint (Windows or a Firewall itself). Use ASM to track deviations, especially local Windows Firewall policies.
Figure 5 ASM Change Detection Screen Showing New Firewall Rules Added
ASM Policy Management:
ASM Solution comes with several sets of security policies that can be effectively utilized to maintain regular security hygiene. You can run password policy checks, insecure ports and services checks, Anti-Virus signature version checks and many other security best practice policy checks from the ASM Policy Management application.