The US government has warned that sophisticated hackers have been targeting nuclear, energy, water, aviation and other critical industrial firms since at least May 2017. In a rare public warning, the Department of Homeland Security and Federal Bureau of Investigation said in a report that threat actors have been using spear-phishing emails, watering hole attacks and malicious websites to obtain the credentials necessary to access and infiltrate networks.
The joint report says the phishing campaign targets two types of victims - staging and intended targets. Hackers first zero in on the "staging targets" which include third-party and peripheral organisations that are tied to the primary targets and have less secure networks. These staging targets are then used by the threat actors as "pivot points and malware repositories" to attack the primary companies.
According to the DHS, threat actors are attempting to gain access to specific information regarding the targeted companies' equipment and organisational designs and "control system capabilities" in order to infiltrate and harm the firm's networks.
The report noted that hackers have already successfully managed to compromise some targeted networks including one energy generator and conducted reconnaissance on their networks. However, the report did not name the companies targeted in these attacks.
"Historically, cyber threat actors have targeted the energy sector with various results, ranging from cyber espionage to the ability to disrupt energy systems in the event of a hostile conflict," the report reads. "Working with US and international partners, DHS and FBI identified victims in these sectors.
"DHS assesses this activity as a multi-stage intrusion campaign by threat actors targeting low security and small networks to gain access and move laterally to networks of major, high value asset owners within the energy sector. Based on malware analysis and observed IOCs, DHS has confidence that this campaign is still ongoing, and threat actors are actively pursuing their ultimate objectives over a long-term campaign."
According to an analysis by the DHS, FBI and "trusted partners", certain distinct indicators and behaviours observed in this campaign point to a threat group called Dragonfly that was previously reported on by Symantec. In September, Symantec researchers said the energy sector in North America and Europe has been targeted by a "new wave of cyberattacks" launched by Dragonfly.
"The Dragonfly group appears to be interested in both learning how energy facilities operate and also gaining access to operational systems themselves, to the extent that the group now potentially has the ability to sabotage or gain control of these systems should it decide to do so," Symantec noted in September.
Security firm CrowdStrike told Reuters that the report suggested that the attacks could be the work of a hacking group called Berserk Bear - a Russian Federation-linked group that has targeted energy, transportation and financial firms. However, researchers said they have not observed "any destructive action" by this actor yet.
The nefarious activities and hacking attempts targeting energy, nuclear and manufacturing industries were first highlighted in a confidential report in June, Reuters reports. That document was distributed privately to firms at risk of attack and described a narrower set of activity targeting these sectors.
It is still unclear what prompted the government to make the information on the escalation of cyberattacks targeting critical public infrastructure and energy sector firms public.
Security researchers have often warned about the rise in cyberattacks targeting key infrastructure in Europe and the US.