Cyberattacks on critical infrastructure pose one of the most significant threats to national security in modern history. The specter continues to loom large with the reemergence of activity from the prolific hacking group known as Dragonfly. Bursting onto the scene as early as 2011, the group has recently resurfaced with a swath of attacks across North America and Europe targeting energy suppliers.
As defenders against cyberthreats, it’s crucial that we evaluate the means and methods commonly employed by our adversaries to accomplish their goals. In the case of the most recent Dragonfly group activity, it’s well-understood at this point that a multi-pronged approach was used to gain desired access to victims in the energy sector. These methods consisted primarily of spear phishing campaigns, trojanized software and watering hole attacks.
Two of these three techniques (spear phishing and trojanized software) can be categorized as a direct attack on an end user. Direct attacks tend to be easier to identify and easier to thwart. The third avenue of attack, the use of watering hole websites, is an indirect attack at the end-user and as such can be harder to detect and protect against.
Dealing with Direct Attack Vectors
While there are many ways to deal with the ‘direct’ attack vectors (discussed above), traditional security best practices hold true here:
User education is key, but technical controls can help when training and awareness fail.
- Because spam filters can’t catch everything, it boils down to the paranoia level and knowledge of the targeted user before clicking a link or downloading an attachment.
- When user training fails, redundant security controls at multiple levels are essential. Controls on the host and network can potentially thwart this kind of attack.
- Only download Software from a trusted location.
- If possible, limit installation of software from a trusted company resource (i.e., a share drive of software that has been vetted by the IT department.
- Lock down permissions and implement file integrity monitoring on your trusted installation files.
- Always verify the hash of downloaded software. *
Note: While not 100 percent effective if the file source has been replaced (meaning the hash value could also have been compromised), this is still a good practice regardless.
A key takeaway from the attack methodology employed by the Dragonfly group was the targeting of less secure partners instead of their more secure true target, infrastructure providers.
Their preferred tactic to go after this low-hanging fruit is through the use of watering holes. While not a household name yet, watering holes have grown in their use and effectiveness. They involve compromising websites the target trusts and frequently visits. The terminology stems from the symbolism of a predator lying in wait near a source of hydration where they can pounce and devour unsuspecting prey. They are successful because they’re camouflaged amid a trusted website.
Watering hole attacks can be far more effective than a simple phishing attack. Often the recipient of a phishing email will simply delete the offending email, rendering the attack ineffective. On the contrary, a watering hole attack takes place when an attacker identifies a website or resource their target trusts. From there, they’ll try to taint or compromise that website or service. So, when a target visits, the attacker can either collect vital information for use in some future targeted attack against their organization or attempt to exploit the web browser to gain access to the internal network right there.
An additional benefit of watering holes is that some organizations have very robust defensive safeguards in place and a direct attack may be incredibly difficult. In these cases, the use of a watering hole allows the attacker to target a less secure organization to leverage a trusted relationship to work back into the more secure target environment.
How Threat Actors Create Watering Holes
To identify the ideal target, attackers, like the Dragonfly group, will profile the target and attempt to identify the websites and forums they regularly visit. This can be conducted through social media research, identifying articles employees share or sites they prefer. Another way to identify commonly visited sites is through traffic sniffing. This tactic can identify websites that are popular with the targeted organization.
When the attacker has a list of forums and sites frequented, they’ll attempt to gain control of what content is presented on the watering hole, either through exploiting a vulnerability in the underlying server, the underlying web application or identifying some other means of modifying site contents.
Some established methods to prevent your organization from falling victim to a watering hole include:
- Ensure malware protection is up-to-date
- Do not allow untrusted web applications to run
- Ensure browsers, operating systems and all plugins are up-to-date
- Utilize secure VMs or sandboxes when visiting third-party sites
Any website can become a watering hole. An industry blog, an online form – it doesn’t matter so long as it provides a launching point for the attacker. Because everyone is a potential target, it’s important that all server administrators treat security as a priority, regardless of who might be directly targeting them, if anyone.
How Armor Helps Organizations Avoid Becoming a Watering Hole
In cyber security, the best defense is just that, a good defense. We know that non-security focused organizations can only cover so much. That’s why at Armor we’ve aligned our talent and technology to help all companies minimize the likelihood of being abused as a watering hole.
Here’s a quick overview of how Armor talent and technology can stymie potential watering holes from the likes of the Dragonfly group:
- Compromise the underlying server: Armor detects and responds to unauthorized access attempts across our entire customer base to identify ‘bad actors’. An attack against any of our customers informs us and allows us to protect all our customers. Additionally, we monitor for new and trending exploits to engage with our customers to ensure that components of the underlying server aren’t vulnerable.
- Compromise the underlying web application: Our security stack analyzes network traffic at multiple levels and can alert on and block on identified malicious activity targeting a customer’s web application. Armor identifies and prevents many different types of malicious activity. Take XSS (cross-site scripting) and SQLi (SQL injection) for instance. By preventing attempts to perform XSS and SQLi, we can prevent an attacker from modifying the underlying web application to add a new user for more complete control. This also prevents the posting of malicious forum content that may serve an attack to other visitors of your site.
Protecting Critical Infrastructure
It’s abundantly clear that more must be done to ensure that our critical infrastructure, especially in the energy sector, is modernized and protected. The question remains, though, if that will be enough to keep the lights on and water flowing – especially when considering vulnerabilities linked to less secure third parties, like watering holes. These utilities are a community resource, so it shouldn’t be a reach to consider protecting them a responsibility of the community. The tactics employed by the Dragonfly group have the potential to impact all of us, so we can’t ignore our role in defense of critical infrastructure, no matter how insignificant.
It’s Defense 101; you’re only as strong as the weakest link. Don’t be that weak link by skipping on security best practices.