TA17-293A: Advanced Persistent Threat Activity Targeting Energy and Other Critical Infrastructure Sectors
Original release date: October 20, 2017 | Last revised: March 15, 2018Systems Affected
Domain ControllersFile ServersEmail ServersOverview
This alert has been superseded by newer information. The old alert is provided below for historical reference only. For the newest version, please see TA18-074A. This joint Technical Alert (TA) is the result of analytic efforts between the Department of Homeland Security (DHS) and the Federal Bureau of Investigation (FBI). This alert provides information on advanced persistent threat (APT) actions targeting government entities and organizations in the energy, nuclear, water, aviation, and critical manufacturing sectors. Working with U.S. and international partners, DHS and FBI identified victims in these sectors. This report contains indicators of compromise (IOCs) and technical details on the tactics, techniques, and procedures (TTPs) used by APT actors on compromised victims’ networks. DHS assesses this activity as a multi-stage intrusion campaign by threat actors targeting low security and small networks to gain access and move laterally to networks of major, high value asset owners within the energy sector. Based on malware analysis and observed IOCs, DHS has confidence that this campaign is still ongoing, and threat actors are actively pursuing their ultimate objectives over a long-term campaign. The intent of this product is to educate network defenders and enable them to identify and reduce exposure to malicious activity.For a downloadable copy of IOC packages and associated files, see:TA17-293A_TLP_WHITE.csvTA17-293A_TLP_WHITE_stix.xmlMIFR-10127623_TLP_WHITE.pdfMIFR-10127623_TLP_WHITE_stix.xmlMIFR-10128327_TLP_WHITE.pdfMIFR-10128327_TLP_WHITE_stix.xmlMIFR-10128336_TLP_WHITE.pdfMIFR-10128336_TLP_WHITE_stix.xmlMIFR-10128830_TLP_WHITE.pdfMIFR-10128830_TLP_WHITE_stix.xmlMIFR-10128883_TLP_WHITE.pdfMIFR-10128883_TLP_WHITE_stix.xmlMIFR-10135300_TLP_WHITE.pdfMIFR-10135300_TLP_WHITE_stix.xmlContact DHS or law enforcement immediately to report an intrusion and to request incident response resources or technical assistance.
This APT actor’s campaign has affected multiple organizations in the energy, nuclear, water, aviation, construction, and critical manufacturing sectors.
DHS and FBI encourage network users and administrators to use the following detection and prevention guidelines to help defend against this activity.Network and Host-based SignaturesDHS and FBI recommend that network administrators review the IP addresses, domain names, file hashes, and YARA and Snort signatures provided and add the IPs to their watch list to determine whether malicious activity is occurring within their organization. Reviewing network perimeter netflow will help determine whether a network has experienced suspicious activity. Network defenders and malware analysts should use the YARA and Snort signatures provided in the associated YARA and .txt file to identify malicious activity.Detections and Prevention MeasuresUsers and administrators can detect spear phishing, watering hole, web shell, and remote access activity by comparing all IP addresses and domain names listed in the IOC packages to the following locations:network intrusion detection system/network intrusion protection system logs,web content logs,proxy server logs,domain name server resolution logs,packet capture (PCAP) repositories,firewall logs,workstation Internet browsing history logs,host-based intrusion detection system /host-based intrusion prevention system (HIPS) logs,data loss prevention logs,exchange server logs,user mailboxes,mail filter logs,mail content logs,AV mail logs,OWA logs,Blackberry Enterprise Server logs, andMobile Device Management logs.To detect the presence of web shells on external-facing servers, compare IP addresses, filenames, and file hashes listed in the IOC packages with the following locations:application logs,IIS/Apache logs,file system,intrusion detection system/ intrusion prevention system logs,PCAP repositories,firewall logs, andreverse proxy.Detect spear-phishing by searching workstation file systems, as well as network-based user directories, for attachment filenames and hashes found in the IOC packages.Detect persistence in VDI environments by searching file shares containing user profiles for all .lnk files.Detect evasion techniques by the threat actors by identifying deleted logs. This can be done by reviewing last-seen entries and by searching for event 104 on Windows system logs.Detect persistence by reviewing all administrator accounts on systems to identify unauthorized accounts, especially those created recently.Detect the malicious use of legitimate credentials by reviewing the access times of remotely accessible systems for all users. Any unusual login times should be reviewed by the account owners.Detect the malicious use of legitimate credentials by validating all remote desktop and VPN sessions of any user’s credentials suspected to be compromised.Detect spear-phishing by searching OWA logs for all IP addresses listed in the IOC packages.Detect spear-phishing through a network by validating all new email accounts created on mail servers, especially those with external user access.Detect persistence on servers by searching system logs for all filenames listed in the IOC packages.Detect lateral movement and privilege escalation by searching PowerShell logs for all filenames ending in “.ps1” contained in the IOC packages. (Note: requires PowerShell version 5, and PowerShell logging must be enabled prior to the activity.)Detect persistence by reviewing all installed applications on critical systems for unauthorized applications, specifically note FortiClient VPN and Python 2.7.Detect persistence by searching for the value of “REG_DWORD 100” at registry location “HKLMSOFTWAREPoliciesMicrosoftWindows NTTerminal”. ServicesMaxInstanceCount” and the value of “REG_DWORD 1” at location “HKLMSOFTWAREMicrosoftWindowsCurrentVersionpoliciessystemdontdisplaylastusername”.Detect installation by searching all proxy logs for downloads from URIs without domain names.General Best Practices Applicable to this Campaign:Prevent external communication of all versions of SMB and related protocols at the network boundary by blocking TCP ports 139 and 445 with related UDP port 137. See the NCCIC/US-CERT publication on SMB Security Best Practices for more information.Block the Web-based Distributed Authoring and Versioning (WebDAV) protocol on border gateway devices on the network.Monitor VPN logs for abnormal activity (e.g., off-hour logins, unauthorized IP address logins, and multiple concurrent logins).Deploy web and email filters on the network. Configure these devices to scan for known bad domain names, sources, and addresses; block these before receiving and downloading messages. This action will help to reduce the attack surface at the network’s first level of defense. Scan all emails, attachments, and downloads (both on the host and at the mail gateway) with a reputable anti-virus solution that includes cloud reputation services.Segment any critical networks or control systems from business systems and networks according to industry best practices.Ensure adequate logging and visibility on ingress and egress points.Ensure the use of PowerShell version 5, with enhanced logging enabled. Older versions of PowerShell do not provide adequate logging of the PowerShell commands an attacker may have executed. Enable PowerShell module logging, script block logging, and transcription. Send the associated logs to a centralized log repository for monitoring and analysis. See the FireEye blog post Greater Visibility through PowerShell Logging for more information.Implement the prevention, detection, and mitigation strategies outlined in the NCCIC/US-CERT Alert TA15-314A – Compromised Web Servers and Web Shells – Threat Awareness and Guidance.Establish a training mechanism to inform end users on proper email and web usage, highlighting current information and analysis, and including common indicators of phishing. End users should have clear instructions on how to report unusual or suspicious emails.Implement application directory whitelisting. System administrators may implement application or application directory whitelisting through Microsoft Software Restriction Policy, AppLocker, or similar software. Safe defaults allow applications to run from PROGRAMFILES, PROGRAMFILES(X86), SYSTEM32, and any ICS software folders. All other locations should be disallowed unless an exception is granted.Block RDP connections originating from untrusted external addresses unless an exception exists; routinely review exceptions on a regular basis for validity.Store system logs of mission critical systems for at least one year within a security information event management tool.Ensure applications are configured to log the proper level of detail for an incident response investigation.Consider implementing HIPS or other controls to prevent unauthorized code execution.Establish least-privilege controls.Reduce the number of Active Directory domain and enterprise administrator accounts.Based on the suspected level of compromise, reset all user, administrator, and service account credentials across all local and domain systems.Establish a password policy to require complex passwords for all users.Ensure that accounts for network administration do not have external connectivity.Ensure that network administrators use non-privileged accounts for email and Internet access.Use two-factor authentication for all authentication, with special emphasis on any external-facing interfaces and high-risk environments (e.g., remote access, privileged access, and access to sensitive data).Implement a process for logging and auditing activities conducted by privileged accounts.Enable logging and alerting on privilege escalations and role changes.Periodically conduct searches of publically available information to ensure no sensitive information has been disclosed. Review photographs and documents for sensitive data that may have inadvertently been included.Assign sufficient personnel to review logs, including records of alerts.Complete independent security (as opposed to compliance) risk review.Create and participate in information sharing programs.Create and maintain network and system documentation to aid in timely incident response. Documentation should include network diagrams, asset owners, type of asset, and an incident response plan.Report NoticeDHS encourages recipients who identify the use of tools or techniques discussed in this document to report information to DHS or law enforcement immediately. To request incident response resources or technical assistance, contact NCCIC at NCCICcustomerservice@hq.dhs.gov or 888-282-0870.
 FireEye. Factors Motivating Cyber Espionage Against the Energy Sector. September 3, 2015 09:21:00AM, 15-00008886, Version: 2
 Symantec. Dragonfly: Western energy sector targeted by sophisticated attack group. September 6, 2017.
 Symantec. Dragonfly: Western energy sector targeted by sophisticated attack group. September 6, 2017.
 CCIRC CF17-010 UPDATE
October 20, 2017: Initial version
March 15, 2018: Updated to provide guidance that this alert has been superseded by newer information.
This product is provided subject to this Notification and this Privacy & Use policy.
Powered by WPeMatico