TARGET COUNTRIES: U.S. (MAY 2017); EUROPE (MARCH 2017) (SUSPECTED)
TARGET SECTOR: ENERGY/CRITICAL INFRASTRUCTURE
TTPS: MALICIOUS DOCUMENTS, STRATEGIC WEB COMPROMISE/WATERING HOLE (POSSIBLE)
There has been significant media attention around a campaign likely by a nation-state actor targeting energy organizations in the U.S. including entities operating nuclear facilities. Although there does not appear to be any direct evidence in the open source at this time, media reports indicated that U.S. government officials have linked the campaign to Russia.
Initial warning appears to have come in the form of a joint DHS-FBI bulletin at the end of June. This alert is not publicly available, but the team over at Talos released a blog on July 7 that appears to detail at least part of this campaign. The Cyber Intelligence and Policy Project (CIPP) dug into the Talos analysis and discovered a couple unreported items of interest related to this campaign:
- The actor behind the U.S. operation was likely active at least as far back as March 2017 possibly targeting similar Energy/Critical Infrastructure entities in Europe.
- Indicators that may be related to the “watering hole” element of this campaign.
Malicious Document Deployed in March 2017
This all begins with the three IP addresses provided at the end of the Talos blog post:
Googling the 184[.]154[.]150[.]66 reveals a very interesting file (MD5: 3c432a21cfd05f976af8c47a007928f7) submitted to the Hybrid Analysis platform on July 10, 2017. The file name “Report03-23-2017.docx” suggests that this document may date back to March. A look at publicly available information in VirusTotal for this file supports a March deployment timeframe as it shows a ZipModifyDate of March 24, 2017 and shows that the file was first submitted to the platform on that same day.
Analysis of this document reveals that it is extremely similar to those reported in the Talos blog. Most notably, the March document contained the same template injection code reported by Talos.
As the screenshots show, both contain the same unique “rId1337” Relationship ID and both use the same [remote IP address]/[*.dotm] URL target format. Furthermore, the March document contains the 184[.]154[.]150[.]66 IP address that Talos links to the U.S. campaign.
The decoy displayed by the March document may shed some light on the general nature of its intended targets.
The content refers to the “Donegal 110Kv Project.” Open source information shows that this is the name of a project for installing overhead power lines in Ireland suggesting a possible target or targets in that country or more broadly within Europe. A recent Bloomberg article hinted that critical infrastructure targets in Europe may have also been affected by this campaign strengthens this possibility. This is bolstered by recent statements from employees at FireEye that the actor behind this campaign targeted organizations in Europe and the Middle East, specifically Ireland and Turkey.
Indicators Possibly Related to Watering Hole Activity?
In addition to the March document, open source analysis of the 184[.]154[.]150[.]66 and 5[.]153[.]58[.]45 IP addresses provided in the Talos blog post reveals what could be indicators of reported strategic web compromise or "watering hole" activity used in this campaign.
There is still a lot that is unknown about this campaign. U.S. government officials have gone on the record pointing the finger at a Russian actor, but there is no publicly available information that provides clear overlap to a known group. What does appear to be clear is that the actor responsible for the U.S.-focused campaign reported on in the Talos blog post was active in March 2017 possibly targeting similar organizations in Europe.