Hacker Threats to Critical Infrastructure
Attention ICM Followers: This is a post that our strategic partners at CyberCecurity released last evening. We thought it was important enough to share with you. DHS and FBI Announce Hacker Threats to Energy and Critical Infrastructure: Hackers going after government entities and critical infrastructure.
OCTOBER 23, 2017
In what is an unusual move by the FBI and DHS, CERT released a security bulletin saying that attackers were going after government entities and critical infrastructure and had been doing so at least since May.
Hacker Threats Using Multi-Stage Attack
They said this is a multi-stage hacker threat and attack, going after low security and small networks and then moving inside those networks to attack other higher value assets.
Since at least May, the attackers have been going after critical targets like energy, water, aviation, nuclear and critical manufacturing. In addition, they are also targeting government entities.
The attacks start by going after “staging targets” – possibly suppliers or other vendors with less secure networks and use those compromised networks to target the ultimate target.
5 Phases to the Hacker Threats and Attacks
Using the standard cyber kill chain attack model, there are five phases to the attack:
1. Reconnaissance – gather information on the organization and potential weaknesses of, in this case, specific, targeted organizations.
2. Weaponization – use spear phishing emails (in this case) get into the target’s organization
3. Delivery – Once inside the organization, use the beach head they have created to create a persistent base for further attacks.
4. Exploitation – Once the beach head is established, use the base to exploit the organization – such as stealing credentials.
5. Installation – Now that the network is fully compromised, download additional tools to expand the attack and use that company to launch attacks against other companies.
FBI Admits Some Hacker Attacks Successful
The FBI admitted, with no details, that some of the attacks have been successful. The fact that they are issuing a very public announcement as opposed to a much quieter memo, say via Infragard, says that (a) the attacks have been more successful than they might want to admit, (b) that the attacks are going after smaller, less sophisticated organizations that have less sophisticated defenses and (c) the attacks are ongoing.
Time to Be on High Alert
This means that organizations need to be on higher alert than they might be otherwise. To steal a term from the Department of Defense, if your organization was at Defcon 4 before (the second LOWEST level of alert), now might be a good time to go to Defcon 3 or 2 (the second highest level of alert).
The bulletin provides specific IOCs (indicators of compromise) for each target industry segment.
If you need network security assistance, please contact ICM’s cyber partners at CyberCecurity.
Are you prepared to communicate if your company is hacked? Contact ICM to put together your cyber crisis communication plan.
Information for this post came from CERT.