The assault continues
Ukraine's beleaguered energy companies have continued to be hammered by cyber attacks from an unknown (but no prizes for correct guesses) source. The attackers, who may or may not be the same as the attacks pre-Christmas (see my previous post), are using gcat to conduct their attacks.
If this is the same attacker as the pre-Christmas attacks, this shows a decent level of tradecraft sophistication, as it is likely BlackEnergy2 and 3 will have been quite heavily signatured and will be actively hunted by Ukranian sysadmins (and hopefully other CNI network administrators worldwide), so changing toolset before re-engaging is a sensible way for the poachers to stay one step ahead of the gamekeepers.
But most reports are claiming that the attackers yet again used spear phishing attacks to exploit and gain code execution; this time using macros embedded microsoft excel files (which EVERY email client and Excel itself warns in flashing neon lights). Again, this demonstrates the immense power of well-crafted, socially-engineered content delivery to a specific target. But one has to ask: given content delivery was the likely exploit mechanism in the pre-Christmas attacks (and is easily the most publicised exploitation vector), why haven't the employees of these energy companies been warned HEAVILY about the perils of trusting non-plaintext emails from unknown or even suspicious sources. And it's not like these attack vectors are doing really innovative exploitation of running Windows services -- they are embedding exploits in Excel macros; one of the most recognised weaknesses in modern computing. This isn't rocket science.
Correlation doesn't equal causation, and so assuming national attribution simply based on who's in the crosshairs is a fool's errand. But whatever the case, the energy sector isn't the only Ukrainian critical national infrastructure system under cyber attack right now:
Given the scale, synchronisation, tradecraft sophistication and technical expertise being used here, this rings of nation-state level coordination to me. If it isn't, then is one hell of a coincidence.
I feel for the Ukrainian power companies right now, as this is a well-coordinated and sustained campaign of cyber activity against them. But they have to get their act together if they want to stem this flow of malicious activity on their networks. Step #1 - stop opening dodgy emails!
Strategy - Intelligence - Leadership. Joining the dots to make the right things happen.
9 年Another example which reinforces why Cyber security needs to become a integral part of operational management. It needs to be broken out of the IT/security department, to become a part of the consciousness of the organisation. Woven into the very fabric of processes and procedures and not simply consigned to a monthly meeting/ series of missives. Managers at all levels and in all areas of business should be including Cyber behaviour, security updates as a part of all meets, team call overs and review processes.