US Cert has a great intelligence report on Russian TTPs against US Energy sector entities since 2016. I attended one of the DHS briefings and many folks struggled with the software used to conduct the briefings. I am publishing my notes on the briefings to help share this information.
Generally, the attacks are well thought out and reasonably sophisticated. However, the TTPs rely on typical windows and network functions and features. Many of the TTPs could be detected in Windows event logs if they were available in a SIEM.
There’s a lot here so I will separate highlights within the Cyber Kill Chain stages (CKC), splitting out stages 1-4 and then 5-7.
Highlights (CKC Stage 1-4):
- Small organizations were deliberately targeted
- Executives and control system operators were the most likely targets
- Trusted partners were compromised first to use as pivot points (Example - through a trusted vendor connection)
- US energy sector was the specific target, and US utilities were affected
- Spear phishing included references to legitimate equipment or resumes
- URL shorteners such as bit.ly and tinyurl were used in spear phishing
- Threat actors combed the websites of their targets, including downloading and examining photographs to gain intelligence
- This includes downloading the entire website and examining documents, images, and public code
- Threat actors were able to identify control system equipment information from a photo on an HR page
- Spear phishing and watering hole attacks both depended on SMB outbound (using file://IP) (tcp 139/445 outbound)
- A large portion of watering hole domains were trade publications and informational websites relates to ICS or critical infrastructure
Highlights (CKC Stage 5-7):
- Threat actors used the stolen credentials to establish local admin accounts
- Achieved with a simple batch script using baked-in windows commands
- Created a scheduled task named ‘reset’
- Disabled Windows host firewall, opened RDP inbound
- Logs were deleted with an administrator account
- Fake accounts were made to mimic real ones in Exchange
- Threat actors installed FortiClient to maintain persistence in at least one case
- Additional tools downloaded from threat actors had the .exe extension swapped with .txt
- Threat actors modified shortcut files (.lnk) to obtain their icon image from a remote server. This would pass the credential hash over SMB to the attacker.
- Another variant included modifying a word document to get its normal.dotm file from a remote location
- Both used file:// outbound
- Network traffic for both variants is discussed below
- Threat actors modified the registry to force WDigest to store plaintext credentials in memory
- Threat actors had access to take actions resulting in physical actions, but did not take actions.
- Threat actors collected data such as:
- ICS architecture, layout diagrams, reference documents, vendor information
- Configuration screenshots of HMIs
- Configuration details for remote access
- Ensure that TCP ports 139 and 445 outbound are denied
- Consider blocking URL shorteners such as Bit.ly and TinyURL
- Collect and analyze Windows logs for both servers and desktops
- Decrypt and inspect Web traffic
- Enforce geo-IP blocking (inbound and outbound). Blacklist IPs for regions you don’t work in
- Don’t create overly permissive whitelists for connections with vendors
- Enable 2 factor for all external facing systems
Network traffic for attacks
- These attacks relied on SMB outbound. The infected machine would request the file from the server, which would request credentials.
- The victim provides the hash, which the attackers were able to brute force
- Pcap sample of things that happen just to get an icon