Nuclear power plant
DHS and FBI warned that Russia-linked hackers are targeting critical infrastructure. adege/Pixabay

The United States Department of Homeland Security (DHS) and Federal Bureau of Investigation (FBI) issued a warning through the U.S. Computer Emergency Readiness Team (CERT) alerting organizations of increased activity from threat actors targeting critical infrastructure.

The warning, initially issued on Friday and updated on Monday, said Advanced Persistent Threat (APT) actions targeting government entities and organizations in the energy, nuclear, water, aviation and critical manufacturing sectors have been on the rise since May.

According to the alert, the attack is ongoing and many networks in the energy sector and other critical areas are at risk of being targeted by what the DHS calls a “multi-stage intrusion campaign.”

AI/CAPITAL MARKET use this one***
Newsweek is hosting an AI and Data Science in Capital Markets conference in NYC, Dec. 6-7. Newsweek Media Group

The elaborate attack does not start with the intended target first but rather with ancillary players who have a relationship with the chosen organization. Third-party vendors, suppliers and contractors are ripe for targeting by the attackers, with the intention of compromising a low-level security target first before elevating the attack.

After performing reconnaissance work to learn the relationships between a target and its partners, the attackers will hit their first victim through spear-phishing techniques—highly targeted campaigns designed to trick an individual into surrendering personal information or credentials that can be used to access their account and unauthorized gain access to sensitive information.

The technique most commonly used in the attacks thus far has been to send the victim an email with a PDF attachment that appears to be a contract agreement. The PDF itself is benign and will do no harm, but a link within the PDF will direct the victim to a website that hosts malware. If the link is clicked, the user’s machine will be infected by the malicious file.

According to the DHS and FBI, the campaign is the work of Dragonfly APT, also known as Energetic Bear. The group has been mostly dormant since 2015, but was previously active dating back to 2011 and has primarily targeted energy plants and other critical infrastructure in western nations including the U.S., Italy, France, Spain, Germany, Turkey and Poland.

Dragonfly has been linked to cyber espionage campaigns against energy grid operators, electricity generation companies, oil pipeline operators and industrial equipment manufacturers. According to a previous report published by DHS, the Dragonfly group has ties to the Russian government.

“It would be naive of us to believe that Industrial Control Systems were somehow immune to the same cyber risks faced by commercial organizations via their IT systems,” Paul Edon, the director of international customer services for security software vendor Tripwire, told International Business Times.

“The recent attacks, although only now being highlighted by the US government, are nothing new, but they should act to remind us that Industrial Control Systems that were once protected by airgap and diode architecture, are now becoming physical extensions to corporate and business networks,” he said.

Edon warned that while connectivity provides businesses with many advantages, it also adds a number of risks that must be accounted for.

“It is incumbent on those responsible to carry out detailed risk evaluations and to identify and implement the necessary security solutions to ensure the most effective security measures are applied,” he said. “Otherwise, there will be a major breach, and regardless of intention, we will experience an environmental disaster that could include a significant loss of life.”

The warning from the DHS and FBI about targeted attacks against critical infrastructure and other organizations providing vital services comes two months after the National Infrastructure Advisory Council (NIAC) warned of the possibility of a “9/11-level cyber-attack” and advised the government to “use this moment of foresight to take bold, decisive actions” to prevent such an incident.

“This public warning from the US government should be taken seriously, but it’s only the latest in a long series of warnings from within the cybersecurity industry,” Tim Erlin the vice president of product management and strategy at Tripwire, told IBT.

“Experts working on cybersecurity for critical infrastructure know the risks and the stakes, and are already working to address them. Warnings like this are an important aspect of information sharing, but they don’t materially change funding levels, resources or skill sets by themselves,” he said.