back to article US energy, nuke and aviation sectors under sustained attack

The United States' Department of Homeland Security has issued an alert that warns of “advanced persistent threat (APT) actions targeting government entities and organizations in the energy, nuclear, water, aviation, and critical manufacturing sectors.” The alert says an unknown actor has been at it since May 2017 and has …

  1. Mark 85

    The alert doesn't say what damage, if any, the attacks have wrought.

    Reconnaissance then? Find the weak spots and note them. If and when all hell breaks loose, use them.

    1. Anonymous Coward
      Anonymous Coward

      Find the weak spots

      That would be anyone clicking on links in an email. Would it be legal to send emails to your own employees to identify these individuals and then "allow them to pursue new opportunities" before they have the chance to compromise your company?

      1. imanidiot Silver badge

        Re: Find the weak spots

        The problem is they go after "high-value targets". I.e. upper-manglement. The types that don't get fired for being idiots, and the types more likely to be idiots when it comes to IT. Which further supports my notion that while upper management can be a necessary evil, they should not have access to any actually operationally sensitive data. Accounts spreadsheets and the like is just fine, but there is no need for them to access wiring diagrams, product drawings or production data. Sort of an internal firewall around manglement if you will.

      2. NBCanuck

        Re: Find the weak spots

        "Would it be legal to send emails to your own employees to identify these individuals and then "allow them to pursue new opportunities" before they have the chance to compromise your company?"

        Actually our company DOES send out test emails, though I believe it is more for testing and educating - at least I am not aware of any more serious action being taken.

        All email coming from outside our enterprise is automatically delivered with red text at the top saying "External Email" so at least it is harder for someone to spoof coming from a legitimate company employee. My thoughts are that if they fail this one "education" should only be an option the first time.

  2. ThatOne Silver badge

    Well, some companies already do that kind of tests, but usually they are followed by education rather than punishment (throwing out 90% of your workforce might create some problems in the short term, and there is no guarantee that their replacements will be any better anyway).

  3. Anonymous Coward
    Anonymous Coward

    Attack timings

    Strangely follow UK mid-evening hours and seem to ease up during Coronation Street and cup of tea time...

  4. Pascal Monett Silver badge
    Facepalm

    "depressingly-familiar tactics"

    Yes, it is quite depressing that people still haven't cottoned on to the idea that a complete stranger does not send you confidential documents out of the blue.

    I receive invoices and such from people I don't know. After a "yeah, sure" moment, I check the originating address to be sure and, generally, that's when the game is up. Either the domain has nothing to do with the purported origin (eg. a mail from Microsoft that is sent from a Gmail account), or worse, it supposedly came from my own domain (I am one of three users in my domain).

    It doesn't take more than two brain cells to figure out that a message from SomeGuy2748 is not a professional source. There is no company on Earth that registers its employees like that, ergo no professional mail can come from such a source.

    And yet people still get taken in by such stupid shenanigans.

    1. JimC

      Re: a complete stranger does not send you confidential documents out of the blue.

      Even more depressingly I have had genuine confidential documents from complete strangers out of the blue, not to mention documents from out of the blue that purport to be or genuinely are from people who aren't complete strangers, and I have come across companies who have user names like SomeGuy2748. I can read email headers and readily spot messages that are not what they say they are, but the average user can not.

  5. Anonymous Coward
    Anonymous Coward

    A hint to recruiters...

    '...spear-phished them with emails bearing subject lines such as “AGREEMENT & Confidential” containing benign attachments that “prompted the user to click on a link should a download not automatically begin.”'

    And I suppose we are meant to believe that someone in a position of trust and responsibility was so incredibly dumb and irresponsible as to fall for those?

    1. imanidiot Silver badge

      Re: A hint to recruiters...

      Yes. Especially in big companies people don't generally get to top management positions by being smart, critical and sharp witted.

      1. iron Silver badge

        Re: A hint to recruiters...

        Even people who are "smart, critical and sharp witted" can fall for phishing emails. A good example is the "I'm stuck in another country and have lost my wallet, phone, etc please send me money to get home" email from a friend's address. I know one very intelligent CEO who would have fallen for that if he hadn't mentioned it to me first. Non-IT people have never heard of these standard phishing scams so the messages look legit to them.

  6. Anonymous Coward
    Anonymous Coward

    Utterly unsurprising

    Although the attacks described were most likely nothing to do with any state actors, the US government would have no right to complain - or to be surprised - if they were mounted by such actors.

    For years the US government has been making rousing speeches about "the threat from China", "the threat from Russia", the threat from Iran", and recently even - hilariously - "the threat from Venezuela". It has also proceeded to talk about how it is budgeting generous funds to hire and train specialists whose job it is to attack other nations' infrastructure should they be deemed to have stepped out of line.

    It wouldn't be amazing if some of them thought, "we might as well just do what we are being blamed for anyway - and get ready for the balloon to go up if and when it does".

    Reminds me of the wonderful scene in "The Life and Times of Judge Roy Bean" where this big ugly gunfighter challenges Bean (Paul Newman) to a duel. Right on time, the black hat shows up in front of the courthouse steps, calling the odds and shouting for Bean to come out and fight. Then the take switches to a warehouse window about fifty yards behind the black hat, where Bean lies comfortably prone on a bed of straw with his rifle aimed squarely at the middle of the black hat's back...

    As Sun Tzu puts it, "Victorious warriors win first and then go to war, while defeated warriors go to war first and then seek to win".

  7. amanfromMars 1 Silver badge

    Stupid Activity for Dummies

    If you are targeted with a smart spear phishing email/document which purports to be able to lead and provide one with outstanding new goodies which one would certainly be interested in testing/enjoying, is a greater danger realised whenever the products alluded to are readily available and will be delivered elsewhere to competitors and/or opponents if one does not choose to investigate further?

    One is then extraordinarily rendered in an instant, a follower rather than leader of outstanding new developments.

  8. John Smith 19 Gold badge
    Unhappy

    "Staging targets held preexisting relationships with many of the intended targets.”"

    So just like STUXNET then?

    "initiating downloads of documents using Server Message Block."

    Another feature of the NSA toolkit that works beyond Windows XP?

    Looks like recon to work out what H/W they should focus developing malware for (if they don't have any in stock). Unless of course they are planning actual physical entry.

    It seems someone is using the US cyber warefare play book against them.

    For some reason I keep hearing the voice of Alan Rickman in my head saying "You ask for a miracle. I give you the FBI."

    I'm not sure why. :-(

    1. defiler

      Re: "Staging targets held preexisting relationships with many of the intended targets.”"

      I'm not sure why. :-(

      Because it's only 9 weeks until Chrismas?

    2. THMONSTER

      Re: "Staging targets held preexisting relationships with many of the intended targets.”"

      Because the weather outside is frightful?

  9. Anonymous Coward
    Anonymous Coward

    Maybe it is time to start using text only e-mail clients - no clikey links or other stupidity and the admins can setup good spam rules in the firewall, or even setup a fast Bayesian spam filter to cull the garbage.

    1. JimC

      > time to start using text only e-mail clients

      IMHO there was never a time to stop using them. It was obvious from day 1 that html capable email and clicky links would be a delight for the malign.

  10. allthecoolshortnamesweretaken
  11. Anonymous Coward
    Facepalm

    Stupid people...

    Next we will see a resurgence of people getting spearphished because they answered emails from the putative assistant of a deposed Nigerian prince who happens to have left $9 million in a bank account when he went into exile....

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon