Russian cyberactivity targeting US sectors, including maritime

The following is text of a news release from HudsonAnalytix:

(WASHINGTON and CAMDEN, N.J.) — Russian government cyberactors are engaging in a sophisticated cyberattack campaign targeting organization in critical infrastructure sectors. This attack is occurring in two stages. Initially, threat actors are attacking the networks of smaller organizations with pre-existing relationships with larger organizations that are the ultimate targets of the attacks. Malware and spear phishing are the most common tactics during these initial "staging" attacks. The threat actors then use their access to staging targets’ networks to target their intended, larger victims. Organizations in the maritime industry are encouraged to learn more about this attack and ensure that they are following cyber-risk management best practices to limit their vulnerability to this attack.

Background

Per Department of Homeland Security (DHS) and the Federal Bureau of Investigation (FBI) reports, Russian government actors are targeting organizations in the energy, nuclear, water, aviation, critical manufacturing, and other commercial sectors. DHS and FBI warn of a sophisticated, multi-layered intrusion campaign focused on gaining remote access to small commercial-focused networks via malware or spear-phishing campaigns. Once compromised, these networks enable Russian government cyberactors to gain remote access into targeted sector networks, facilitating network reconnaissance and the collection of information pertaining to industrial control systems (ICS). This includes shipping and marine terminal facilities.

Russian government cyberactors are using a range of tactics, techniques, and procedures to further this campaign, including:

• Spear-phishing emails (from compromised legitimate account)
• Watering-hole domains
• Credential gathering
• Open-source and network reconnaissance
• Host-based exploitation
• Targeting ICS infrastructure

The threat actors appear to have deliberately chosen the organizations they targeted, rather than pursuing them as targets of opportunity. Staging targets held pre-existing relationships with many of the intended targets.

What should a maritime company do?

Although most maritime companies will not be intended targets of these attacks, maritime companies have pre-existing relationships with a wide variety of governmental and commercial actors that support wide-ranging U.S. interests, and accordingly should be aware of their potential status as a staging target for this attack. More specifically, maritime transportation companies can be exploited to access and attack U.S. commercial entities.

As part of this announcement, the U.S. Computer Emergency Readiness Team (US-CERT) released indicators of compromise (IOCs) related to this campaign, available at https://www.us-cert.gov/ncas/alerts/TA18-074A. DHS and FBI recommended that network administrators review the IP addresses, domain names, file hashes, network signatures, and YARA rules provided at the above link, and add the IPs to their watch lists to determine whether malicious activity has been observed within their organization. They also advised system owners to run the YARA tool on any system suspected to have been targeted by these threat actors.

HudsonCyber recommends that all clients immediately:

• Review the detection and prevention guidelines and other best practices detailed at the link above.
• Implement a robust data backup process that safeguards any data considered valuable to their organization or critical to their business operations; data backups must be stored offline (disconnected from the network) and tested regularly to confirm their integrity. Perform regular testing to confirm data integrity.
• Advise shore-based employees and crews of the increase in cyberthreats and provide awareness training on social engineering tactics, safe Internet browsing behaviors, and how to respond to suspected cyberincidents.

By Professional Mariner Staff