This campaign comprises two distinct categories of victims: staging and intended targets. The initial victims are peripheral organizations such as trusted third-party suppliers with less secure networks, referred to as “staging targets” throughout this alert. The threat actors used the staging targets’ networks as pivot points and malware repositories when targeting their final intended victims. NCCIC and FBI judge the ultimate objective of the actors is to compromise organizational networks, also referred to as the “intended target.”The campaigns begin with Russian actors conducting reconnaissance of staging targets that at some point maintained relationships with their intended targets. Using the information they acquire, the individuals launch spear-phishing attacks against the staging targets, compromise their web-based infrastructure with malicious content, and develop watering holes to infect their intended target. Once inside their intended target's network, they create web shells on the entity's email and web servers and conduct reconnaissance against ICS and supervisory control and data acquisition (SCADA) systems.
Moscow has denied involvement in the hacking attacks, with Sergei Ryabkov, a deputy foreign minister for Russia, saying that the new sanctions are "purely tied to the internal American infighting." DHS and FBI issued their TA at a time when attacks against energy organizations are ramping up around the world. These include efforts by APT33 to target Saudi petrochemical entities and other energy organizations with spear-phishing campaigns. Given the rise in these attacks, it's important that organizations invest in a solution that can help them monitor their ICS and SCADA systems for potentially malicious behavior. For information on how Tripwire can help, click here.
The administration is confronting and countering malign Russian cyberactivity, including their attempted interference in U.S. elections, destructive cyberattacks and intrusions targeting critical infrastructure. These targeted sanctions are a part of a broader effort to address the ongoing nefarious attacks emanating from Russia.