The Department of Homeland Security and Federal Bureau of Investigation released a joint Technical Alert on October 20, 2017 regarding campaigns by cyber actors targeting government entities and organizations in the energy, nuclear, water, aviation, and critical manufacturing sectors. Although it’s common for DHS and FBI to coordinate on products, the detail in this latest alert about multiple groups mounting an Advanced Persistent Threat (APT) have drawn additional attention.
SEE: IT leader’s guide to the threat of cyberwarfare (Tech Pro Research)
There have been no reports of sabotage or physical damage, but rather earlier-stage efforts, including:
- open-source reconnaissance;
- spear-phishing emails (from compromised legitimate accounts);
- watering-hole domains;
- host-based exploitation;
- industrial control system (ICS) infrastructure targeting; and
- ongoing credential gathering.
The alert is primarily for owners and operators of critical infrastructure, especially those running ICS and supervisory control and data acquisition (SCADA) systems. More than one actor has been targeting networks in the energy sector since at least May 2017. According to DHS the campaigns are still ongoing, and pose a particular threat to “low security and small networks.”
Advice for network defenders
The alert lists many common best practices for hardening networks against cyber threats. These are detailed for critical infrastructure managers in the National Institute for Standards and Technology (NIST) Cybersecurity Framework.
Specifically, the DHS/FBI alert recommends these steps:
- Block the web-based Distributed Authoring and Versioning (WebDAV) protocol on border gateway devices on the network;
- Monitor VPN logs for abnormal activity (e.g., off-hour logins, unauthorized IP address logins, and multiple concurrent logins);
- Segment any critical networks or control systems from business systems and networks according to industry best practices;
- Establish a password policy to require complex passwords for all users;
- Ensure that accounts for network administration do not have external connectivity;
- Ensure that network administrators use non-privileged accounts for email and internet access; and
- Use two-factor authentication for all authentication, with special emphasis on any external-facing interfaces and high-risk environments (e.g., remote access, privileged access, and access to sensitive data).