Content, Breach, Channel partners, Security Program Controls/Technologies

Cylance Uncovers Threat Actor Used to Target Critical Infrastructure


Cylance, a company that provides artificial intelligence-based advanced threat prevention solutions, has discovered a threat actor used to target critical infrastructure. The threat actor was found on a compromised Cisco router, according to a prepared statement.

The news comes just days after U.S. officials said Russian cyberattackers gained access to U.S. and European critical infrastructure.

The U.S. government last week announced sanctions against "Russian cyber actors" for interference in the 2016 presidential election and NotPetya attack, Cylance pointed out. At this time, the U.S. government alluded to the fact that "Russian government cyber actors ... targeted U.S. government entities and multiple U.S. critical infrastructure sectors," according to the company.

To date, the U.S. government has issued three warnings about a threat actor that targeted energy, nuclear power and other critical infrastructure sectors. The threat actor, referred to as DragonFly, Energetic Bear, Crouching Yeti, DYMALLOY and Group 24, has been investigated by Cylance and other cybersecurity firms.

The threat actor initially was exposed in 2013 and 2014 but went dark for about a year, Cylance indicated. In early 2015, the threat actor was used to target energy companies in Ireland, Turkey and other countries. Cylance also found additional targets from earlier periods, including a mining and power company in Kazakhstan.

Cylance most recently discovered the same threat actor compromised a Cisco router used by one of Vietnam's largest oil rig manufacturers. The threat actor attempted to access user credentials, Cylance said, and these credentials later were used to attempt to penetrate UK energy companies around March 2017.

Furthermore, Cylance observed a phishing operation that targeted energy sector organizations in the UK. The cyberattacks began using two phishing documents, Cylance stated, and relied on Windows' Redirect to SMB feature.

Key Takeaways from Cylance's Findings

Detection of compromised routing infrastructure for collection or command and control purposes is "relatively rare," Cylance indicated. In many instances, a router's firmware and other security tools often fail to provide organizations with the ability to identify or investigate cyberattacks.

Yet a threat actor that targets critical infrastructure is "a serious and worrisome discovery," Cylance stated. Vulnerabilities in core infrastructure like routers are not easy to close or remediate, Cylance said, and businesses and governments must find ways to detect and address these issues.

Dan Kobialka

Dan Kobialka is senior contributing editor, MSSP Alert and ChannelE2E. He covers IT security, IT service provider business strategies and partner programs. Dan holds a M.A. in Print and Multimedia Journalism from Emerson College and a B.A. in English from Bridgewater State University. In his free time, Dan enjoys jogging, traveling, playing sports, touring breweries and watching football.