19 Sep Can you hack US infrastructure?
A couple of months ago, US-CERT released an article about Russian Government Cyber Activity targeting Energy and Other Critical Infrastructure Sectors. You may imagine that they exploited 0-days vulnerabilities and performed very technical activities, but not. They used phishing and free tools that you can find using google.
According to US-CERT, since (at least) March 2016, Russian government cyber actors targeted government entities and multiple US critical infrastructure sectors.
The threat actors appear to have carefully chosen the targeted organisations instead of selecting them randomly. They used spear-phishing emails and watering hole domains to break into organisations’ network. They used a technique that consisted of retrieving a document from a remote server using the Server Message Block (SMB) protocol. As a part of the standard processes executed, this request authenticates the client with the server, sending the user’s credential hash to the remote server before retrieving the requested file. They also used email attachments that, after opening them, led users to a website that prompted the user for email address and password.
After obtained the credentials, threat actors accessed victims’ networks where multi-factor authentication was not used. Later, to maintain persistence, they created local administrators accounts using straightforward scripts.
Once inside, they downloaded tools from a remote server, deployed webshells on the intended targets’ publicly accessible email and web servers and started to do internal reconnaissance within the network. They connected to the domain controller using privileged credentials via RDP. Once on the domain controller, they used automated scripts to enumerate additional information about the environment.
During this phase, they did something intelligent. They used PsExec to execute a screenshot utility to capture the screen of systems across the network. In multiple instances, the threat actors accessed workstations and servers on a corporate network that contained data output from control systems within energy generation facilities. The threat actors accessed files about ICS or supervisory control and data acquisition (SCADA) systems. They also copied VNC profiles that contained configuration information on accessing ICS systems. That means that there was no proper network segregation!
As you may have noticed, the threat actor did not use any 0-days or any technical vulnerability. They relied on social engineering to gain access to victims’ networks, and once inside, they started to enumerate the environment using common and public-available tools to obtain more information. That is why I said before that if you have time and you are not being afraid of going to jail, you can hack US infrastructure as well!
US-CERT has created YARA rules and published IOCs to test your network and determine if your company has been/is being compromised. For a more detailed analysis and IOCs, you can refer to the US-CERT official report