Manufacturing leaders who still harbor doubts about the serious nature of the cyber attack campaigns today targeting their companies should take a close read of an alert recently issued by the U.S. Department of Homeland Security (DHS) and the FBI.
The document, officially called a Technical Alert, details what it calls an ongoing and persistent cyber attack campaign that has been underway since at least May of this year and that targets “critical manufacturing sectors” as well as government entities and organizations in the energy, nuclear, water, and aviation sectors, according to the report.
The report doesn’t quantify the number of attacks that have been launched as part of the campaign or their sources. It does, however, make it clear that this is not a random campaign of opportunity. Instead, the report says, cyber attackers in this case “have deliberately chosen the organizations they targeted, rather than pursuing them as targets of opportunity.”
The cyber attack campaign described by the DHS/FBI report was first reported in September by security software provider Symantec in a widely-read report that identified the perpetrators as a group known as Dragonfly. That report, however, indicated that the attacks targeted energy industry companies in Europe and North America. The DHS/FBI report specifically says that manufacturers have also been targeted by the group.
The report says that attacks by the group have included a variety of cyber exploit techniques, including spear-phishing and watering-hold domains, and that they have specifically targeted industrial control system (ICS) infrastructure. The report recommends a number of technical tools that can be used to recognize and neutralize the attacks.
The report also describes a common pattern incorporated into many of the coordinated attacks: Perpetrators often use trusted third parties to initiate their attacks and, ultimately, to exploit their larger, ultimate targets.
“The initial victims are peripheral organizations such as trusted third party suppliers with less secure networks…,” the report states. “The threat actor uses the staging targets’ networks as pivot points and malware repositories when targeting their final intended victims.”
The critical take-away: Manufacturers must monitor the cyber security capabilities of their trusted suppliers, partners, and customers and, if necessary, take steps to reduce related risks.
The report warns that manufacturers must also closely examine the information they voluntarily post online in order to reduce cyber risk. In one case, the report states, attackers were able to “download a small photo from a publically accessible human resources page. The image, when expanded, was a high-resolution photo that displayed control systems equipment models and status information in the background.”
Manufacturers should also be wary of the public websites they use. Dragonfly attackers often create so-called “watering holes” that appear as trade publications and informational sites and attract industrial users by presenting some legitimate content related to process control, ICS, or critical infrastructure. Also buried in the sites, however, is malicious content, the report warns.
And the report advises that manufacturers cannot lower their cyber security vigilance. “DHS has confidence that this campaign is still ongoing, and threat actors are actively pursuing their ultimate objectives over a long-term campaign.”