How to find an APT attack against a network

Advanced persistent threat (APT) attacks against critical infrastructure are on the rise and companies and users need to learn how to find anomalies in their network and be proactive before serious damage can be inflicted.
By Gregory Hale, ISSSource December 22, 2017

It is no secret the Department of Homeland Security (DHS) and Federal Bureau of Investigation (FBI) issued a warning for critical infrastructure organizations regarding advanced persistent threat (APT) attacks. The main question for users is how to tell if the bad guys are in the system.

"There are indications they are looking for things inside the networks themselves," said Dana Tamir, vice president of market strategies and security provider, Indegy. "It is very easy to mask their activities. It seems everyone has privileged access. Everyone with gained access to the network can do anything they want. The way we look for things is we first look for anomalies that appear to be suspicious and out of the ordinary. For example, communication between two assets that have never communicated before, or a command that doesn’t meet the kind activity ever done on the network, or the use of new protocols never used before. In addition, we use rule-based policies that determine what is acceptable activities."

The alert on the US-CERT site warns, "Since at least May 2017, threat actors have targeted government entities and the energy, water, aviation, nuclear, and critical manufacturing sectors, and, in some cases, have leveraged their capabilities to compromise victims’ networks."

They consider these APT attacks to be ongoing. The DHS and FBI warning centers around an ongoing attack campaign from an advanced actor, most probably Dragonfly and its associated names of Crouching Yeti and Energetic Bear.

The warning went out to government entities and organizations in the energy, nuclear, water, aviation, and critical manufacturing sectors.

It appears the attacker is seeking a position for possible action against the critical infrastructure in the future, the report said.

Attackers have chosen their targets rather than attacking targets of opportunity. Typically, this is followed by a spear-phishing campaign using email attachments to leverage Microsoft Office functions to retrieve a document using the server message block (SMB) protocol. This sends the user’s credential hash to the remote server, where "The threat actors then likely used password-cracking techniques to obtain the plaintext password. Once actors obtain valid credentials, they are able to masquerade as authorized users."

Watering holes are also used to gather credentials.

"The threat actors compromise the infrastructure of trusted organizations to reach intended targets," the report said. "Although these watering holes may host legitimate content by reputable organizations, the threat actors have altered them to contain and reference malicious content. Approximately half of the known watering holes are trade publications and informational websites related to process control, ICS, or critical infrastructure."

When credentials have been gained, the attackers use these to access victims’ networks where multi-factor authentication is not in use. Once inside the networks, the attackers download their tools from a remote server.

"This alert shows adversaries are getting into networks and they are getting in deeper and deeper," Tamir said. "Previous alerts on phishing attacks on the energy sector and campaigns like Dragon Fly they all referred to things like gathering credentials and infiltrating the systems. What this report shows is reconnaissance activity within industrial control networks and this is an alarming thing. It means adversaries are getting through into these networks and can access the physical processes as they operate."

These kinds of warnings and attacks are becoming a bit better known these days, but the question also remains if users are secure.

"Surprising? No. Critical infrastructure presents high value targets that if exploited can produce significant political or financial gain—more than retail or financial industry targets we tend to see in the news," said David Zahn, GM of the cybersecurity business unit at PAS. "The reason is that the industrial control systems that sit at the end of the industrial facility’s kill chain control in many cases volatile process. This means that an attack can cause physical consequences including injury to plant personnel, community, environment, or production capability."

"This is not the first time that we’ve heard of recon attacks leveraged against ICS with command and control capabilities on our energy, nuclear and critical manufacturing sectors," said Dean Weber, CTO at Mocana. "This is the first recent cyber attack campaign targeting water utilities and aviation. Unfortunately, corporate information technology (IT) networks are not always separated from the operational technology (OT) networks, making them particularly vulnerable."

Gregory Hale is the editor and founder of Industrial Safety and Security Source (, a news and information Website covering safety and security issues in the manufacturing automation sector. This content originally appeared on ISSSource is a CFE Media content partner. Edited by Chris Vavra, production editor, CFE Media,

ONLINE extra

See related stories from ISSSource linked below.