The National Cyber Security Centre (NCSC) has warned of a sustained cyber attack against UK companies. The target of the attack are those involved in the Critical National Infrastructure (CNI) supply chain.
The NCSC reports that the attacks have been ongoing since March 2017. It has issued an advisory which can be downloaded here.
This advisory is just the latest in a string of reports looking at vulnerabilities in the UK CNI. In February, Anomali published a report showing risks across the CNI. This was followed in March by Dragos highlighting risks to Industrial Control Systems.
The UK is not the only country to come under attack. The US Department of Homeland Security has issued its own warning over attacks on CNI. Both organisations have called out Russian-backed groups as being responsible for the majority of the attacks.
Why is the CNI supply chain under attack?
Attacks against supply chains are often more successful than attacks against large entities. Many of the organisations in the supply chain are small to medium-sized companies. This means that they often lack the cyber skills and defences of larger organisations. Successful attacks provide a foothold into larger organisations and CNI. This is because of the increasing integration of the supply chain and ERP.
Successful supply chain attacks can compromise large sections of CNI and other industries. If an attacker can compromise an industrial control system (ICS) at source, it can use that ICS to compromise large numbers of systems. This is made easier for attackers by poor software practices at smaller suppliers.
How do the attacks work?
The NCSC advisory details the attack chain.
- Attackers use a mix of watering hole and spear phishing attacks. A successful attack infects a local device which establishes communication with a remote fileserver under the control of the attackers.
- PowerShell scripts on the attackers server captures NTLM hashes. These contain user security credentials.
- Hashes are replayed against the network or cracked to revealed user credentials.
- Attackers identify all the file shares on the server and place shortcuts, using icons, in each share. The links and icons link back to the remote fileserver.
- Opening and even viewing causes every host machine to send its NTLM hashes to the remote fileserver.
- In addition to using stolen credentials to expose more of the network, attackers also deploy additional tools to get deeper into the network. NCSC also reports that attackers have also added additional domain admin accounts to the network.
The ability to gather security credentials allows attackers to compromise email accounts. This helps spread attacks to a wider audience. For the supply chain, this attack also exposes relationships between organisations. Attackers are able to access file shares on other organisations networks. This allows them to spread the attack to a new site and widen their attacks.
The NCSC has listed 16 tools/methods that are being used in these attacks. They range from infected word documents to Javascript and PowerShell code. The majority of these tools are publicly available which means that they are well known but also easily obtained and used.
Why does this matter
There are multiple reasons for attacking CNI. The most obvious is to cause significant disruption to a country by shutting down power grids or other systems. This is what Russian-backed hacking groups did in Ukraine using the Crash Override malware. It is not the only energy company attack. In 2016 security vendor SentinelOne reported an attack called SFG which targeted ICS systems at European energy companies.
Russia is not the only state actor supporting groups carrying out these attacks. Intelligence agencies from numerous countries from around the world provide money, tools and training to friendly groups. They are then given target lists of organisations to go after.
CNI disruption is also not the only goal here. Theft of intellectual property, money and information on commercial deals are also key targets of these attacks. This means that it is not just organisations in the CNI supply chain who are targets. Smaller organisations who are the easy targets may not even think of themselves as being part of a large supply chain. However, their weak cybersecurity stance often makes them the gateway to other companies.
There are a number of resources listed by the NCSC at the bottom of their advisory. All of these are useful reading for organisations concerned about their cybersecurity defences.
