Document Indicates U.S. Energy/Critical Infrastructure Campaign May Have Hit Europe in March

 

TARGET COUNTRIES: U.S. (MAY 2017); EUROPE (MARCH 2017) (SUSPECTED)

TARGET SECTOR: ENERGY/CRITICAL INFRASTRUCTURE

TTPS: MALICIOUS DOCUMENTS, STRATEGIC WEB COMPROMISE/WATERING HOLE (POSSIBLE)

There has been significant media attention around a campaign likely by a nation-state actor targeting energy organizations in the U.S. including entities operating nuclear facilities. Although there does not appear to be any direct evidence in the open source at this time, media reports indicated that U.S. government officials have linked the campaign to Russia.

Initial warning appears to have come in the form of a  joint DHS-FBI bulletin at the end of June. This alert is not publicly available, but the team over at Talos released a blog on July 7 that appears to detail at least part of this campaign. The Cyber Intelligence and Policy Project (CIPP) dug into the Talos analysis and discovered a couple unreported items of interest related to this campaign:

  • The actor behind the U.S. operation was likely active at least as far back as March 2017 possibly targeting similar Energy/Critical Infrastructure entities in Europe.
  • Indicators that may be related to the “watering hole” element of this campaign. 

Malicious Document Deployed in March 2017

This all begins with the three IP addresses provided at the end of the Talos blog post:

  • 184[.]154[.]150[.]66
  • 5[.]153[.]58[.]45
  • 62[.]8[.]193[.]206

Googling the 184[.]154[.]150[.]66 reveals a very interesting file (MD5: 3c432a21cfd05f976af8c47a007928f7) submitted to the Hybrid Analysis platform on July 10, 2017. The file name “Report03-23-2017.docx” suggests that this document may date back to March. A look at publicly available information in VirusTotal for this file supports a March deployment timeframe as it shows a ZipModifyDate of March 24, 2017 and shows that the file was first submitted to the platform on that same day.

Analysis of this document reveals that it is extremely similar to those reported in the Talos blog. Most notably, the March document contained the same template injection code reported by Talos.

                                                                             Template Injection Code from March 2017 Document

                            Template Injection Code from Document Analyzed by Talos Related to Recent U.S. Campaign

As the screenshots show, both contain the same unique “rId1337” Relationship ID and both use the same [remote IP address]/[*.dotm] URL target format. Furthermore, the March document contains the 184[.]154[.]150[.]66 IP address that Talos links to the U.S. campaign.

The decoy displayed by the March document may shed some light on the general nature of its intended targets.

                                                                                           March Document Decoy Content

The content refers to the “Donegal 110Kv Project.” Open source information shows that this is the name of a project for installing overhead power lines in Ireland suggesting a possible target or targets in that country or more broadly within Europe. A recent Bloomberg article hinted that critical infrastructure targets in Europe may have also been affected by this campaign strengthens this possibility. This is bolstered by recent statements from employees at FireEye that the actor behind this campaign targeted organizations in Europe and the Middle East, specifically Ireland and Turkey.

Indicators Possibly Related to Watering Hole Activity?

In addition to the March document, open source analysis of the 184[.]154[.]150[.]66 and 5[.]153[.]58[.]45 IP addresses provided in the Talos blog post reveals what could be indicators of reported strategic web compromise or "watering hole" activity used in this campaign.

As the screenshots above show, 184[.]154[.]150[.]66 and 5[.]153[.]58[.]45 have not only .dotm files linked to them, but also .png files, and, in one instance, a JavaScript file. The Talos post only mentions the malicious documents as containing .dotm-related URLs with no mention of image or JavaScript files. If the .png and .jspa files are not linked to use of malicious documents, it is possible that they are linked to the “watering hole” element of this campaign which was very briefly mentioned in the media. CIPP was unable to obtain any of these files and their purpose remains unknown. 

Conclusion

There is still a lot that is unknown about this campaign. U.S. government officials have gone on the record pointing the finger at a Russian actor, but there is no publicly available information that provides clear overlap to a known group. What does appear to be clear is that the actor responsible for the U.S.-focused campaign reported on in the Talos blog post was active in March 2017 possibly targeting similar organizations in Europe.