The US Department of Homeland Security (DHS) issued a warning last week about ongoing cyber attacks targeting critical national infrastructure, saying some networks and at least one power generator have been compromised.
Attacks have been targeting domain controllers and file and email servers of critical infrastructure systems, including organisations in the energy, nuclear, water, aviation, critical manufacturing sectors and government networks over the past five months or more, according to an alert on advanced persistent threat (APT) activity.
The report, issued by DHS and the Federal Bureau of Investigation (FBI) contains indicators of compromise (IOCs) and technical details on the tactics, techniques, and procedures (TTPs) used by APT actors on compromised victims’ networks.
The FBI and the DHS, which conducted the analysis, determined the attacks are part of an ongoing "multi-stage intrusion campaign." Attackers used spearphishing emails from compromised attacks to penetrate "low security and small networks to gain access and move laterally to networks of major, high value asset owners within the energy sector," U.S. CERT said in its October 20 alert.
Attackers typically gain access through peripheral third-party organizations such as suppliers that tend to have less secure networks.
Those networks then become "pivot points and malware repositories" for threat actors when attacking the intended victims. Once the intended victim's networks have been accessed, attackers implant remote control software on the systems with a focus on "identifying and browsing file servers," CERT wrote in its alert.
Which, in general, sounds like very old news. There have been warnings about such threats – espionage plus potential and actual cyberattacks – on US critical infrastructure, especially in the energy sector, for going on two decades.