On 15 March, the Department of Homeland Security (DHS) and the Federal Bureau of Investigation (FBI) released a joint Technical Alert on Russian government cyberactivity targeting organizations in the energy, marine, aviation, and other manufacturing sectors.
This DHS and FBI Technical Alert seeks to educate network defenders and enhance their ability to identify and reduce exposure to malicious activity by providing a thorough walkthrough on how an organization's cybersecurity becomes at risk and recommendations for detection and prevention. DHS and FBI characterized these cyberactivities as a "multistage intrusion campaign by Russian government cyberactors" to access an organization's network control.
Stage 1 of the campaign is reconnaissance. Cyberactors deliberately select "staging targets," organizations that hold preexisting relationships to the intended targets, by accessing publicly available information. Using what appears to be innocuous information, such as a small photo from a human resources page, the cyberactors can gather operationally sensitive information to initiate the next stage of their attack.
Stage 2 of the campaign is weaponization. Using compromised information from vulnerable staging targets, cyberactors develop targeted spear-phishing emails or watering-hole domains to formulate their attack against the intended targets.
Stage 3 is delivery. Cyberactors used spear-phishing emails that, for example, contained a generic contract agreement theme (e.g. "AGREEMENT & Confidential") and a generic PDF document titled ``document.pdf (note in particular the two back hashes as a sign of a potentially harmful document). The PDF is not malicious and does not contain any active code. Rather, the document had a shortened URL that, when clicked, led users to a website that prompted the user for their email address and password. Cyberactors have also used, and continue to use, spear-phishing emails to target industrial-control-systems personnel to gain access to critical network controls.
Stage 4 is exploitation. By using distinct and unusual tactics, techniques, and procedures, cyberactors exploit vulnerable staging targets. For instance, emails would contain successive redirects, with an ultimate redirect to a website that contained input fields for an email address and password that mimicked a login page for a website. Another commonly used tactic to capture user credential is through malicious .docx files. These files are connected to a command and control server, usually owned by cyberactors, and prompt users to authenticate access to the domain with their username and password.
Stage 5 is installation. Once cyberactors have gained compromised credentials to access a victim's network, they create local administrator accounts within the staging target network and begin placing malicious files within the intended targets. While inside, cyberactors incorporate password-cracking and downloader tools to harvest as much information as possible within the intended target. Cyberactors can also manipulate LNK files, commonly known as a Microsoft Window's shortcut file, to repeatedly gather user credentials.
Stage 6 is the command and control phase where cyberactors create web shells on the intended target's publicly accessible email and web servers. These serve as templates to further infiltrate the intended target's networks.
Stage 7 is actions on objectives. Once cyberactors control the infrastructure of staging targets, they leverage remote access services and programs such as VPN, RDP, and Outlook Web Access to connect to the intended targets. Upon gaining access to the intended targets, cyberactors begin internal reconnaissance and siphon sensitive information using various scripts and commands. To avoid detection, cyberactors create new accounts to perform cleanup operations to cover their tracks, making any responses to ongoing attacks more difficult.