Since at least May 2017, threat actors have targeted government entities and the energy, water, aviation, nuclear, and critical manufacturing sectors, and, in some cases, have leveraged their capabilities to compromise victims’ networks.
“Targets of interest” refers to organizations that DHS observed the threat actors showing an active interest in, but where no compromise was reported.Specifically, the threat actors accessed publically web-based remote access infrastructure such as websites, remote email access portals, and virtual private network (VPN) connections.The intent of this product is to educate network defenders and enable them to identify and reduce exposure to malicious activity.For a downloadable copy of IOC packages and associated files, see: Contact DHS or law enforcement immediately to report an intrusion and to request incident response resources or technical assistance.The image, when expanded, was a high-resolution photo that displayed control systems equipment models and status information in the background.
Analysis also revealed that the threat actors used compromised staging target networks to conduct open-source reconnaissance to identify potential targets of interest and intended targets.
It is known that threat actors are actively accessing publicly available information hosted by organization-monitored networks.
DHS further assesses that threat actors are seeking to identify information pertaining to network and organizational design, as well as control system capabilities, within organizations.
Once actors obtain valid credentials, they are able to masquerade as authorized users.
Stage 3: Delivery When seeking to compromise the target network, threat actors used a spear-phishing email campaign that differed from previously reported TTPs.
Forensic analysis identified that threat actors are conducting open-source reconnaissance of their targets, gathering information posted on company-controlled websites.