Government Warns of Threat Activity Targeting Critical Infrastructure through Third-Party Access
A cloak of secrecy usually covers covert government activities when it comes to the latest cyber threats and intelligence. But in a rare public statement, the U.S. government has warned that hackers are targeting government entities and organizations in the energy, nuclear, water, aviation, and critical manufacturing sectors.
And instead of going directly after these high profile targets, the hackers are taking indirect routes through smaller – often supporting organizations – such as trusted third party suppliers, which often have less secure IT networks.
The warning, issued by the U.S. Department of Homeland Security and the FBI and posted on the U.S. Computer Emergency Readiness Team website, details the type of intrusions that the government has detected and seeks to further prevent. It goes into significant detail about the “distinct indicators and behaviors” that are related to this troubling activity, even going so far as to provide the specific IP addresses, domain names, file hashes, network signatures, and YARA rules – used to examine and detect malware – that it has identified as related to this campaign in order to allow entities to determine whether malicious activity has already occurred in their systems and to prevent it from occurring in the future. The warning also describes the type of spear-fishing campaigns that the hackers are using to compromise networks. The detail provided by the government suggests this is a threat that they have been monitoring for some time and have spent significant effort investigating.
The warning also includes a slew of detection and prevention measures and recommended best practices for protecting your network against these threats.
Notably, the warning explains that this is a “multi-stage intrusion campaign by threat actors targeting low security and small networks to gain access and move laterally to networks of major, high value asset owners within the energy sector.” In other words, the government believes that threat actors are undertaking “long-term” campaigns to access high-value assets through lower-value entities that are referred to as “staged targets.” The initial targets are thought to be “trusted third party suppliers with less secure networks” that will allow the hackers, in the long-term, to use these initial victims as a means of penetrating the “intended targets” with the high value assets.
Although there is no such thing as bulletproof cybersecurity, this emerging threat identified by the government – whereby hackers attempt to penetrate a high profile target through a third-party vendor – underscores the interconnected nature of larger organizations and the importance of assessing and addressing these potential vulnerabilities.