Russian APT Compromised Cisco Router in Energy Sector Attacks
DragonFly hacking team that targeted US critical infrastructure compromised a network router as part of its attack campaign against UK energy firms last year.
Click Like to Follow Fliegerfaust Facebook page to get the News ASAP / Share to share this post now.
3/19/2018 05:10 PM - by Kelly Jackson Higgins - DARKReading
Yet another nation-state hacking team has been spotted compromising a network router to get to its ultimate targets: this time, it's the infamous Russian APT known as DragonFly 2.0 that was called out by the US federal government last week for hacking into US energy networks.
Researchers from Cylance this month revealed that they recently discovered that the group had hacked a core Cisco router on the network of Vietnam's largest oil-rig manufacturer, a state-owned entity, in order to steal user credentials and ultimately infiltrate energy firms in the UK in March of 2017. The Cisco router that was abused was an "end of life" network device that ultimately gave the attackers an attack vector to target energy firms, according to Cylance. DragonFly used the stolen credentials as phishing lures to attack energy sector entity targets in the UK.
But there are several missing pieces of the attack puzzle, according to Cylance: including just how the router was hacked and how exactly that got the attackers to their targets in the UK.
Kevin Livelli, director of threat intelligence at Cylance, says it's also unclear whether the oil rig manufacturer was a supplier to the UK targets or not. Such a connection might explain how it chose those targets, but Cylance found no such direct connection in its research.
"This is a piece of a larger campaign that we're reporting on here," Livelli says. "We found a decoy document embedded in one of the hashes in malware samples in our continued research into this group. We could tell those decoy documents were being targeted at folks in the energy sector in UK."
If a victim opened...