DHS & FBI warn of attacks against US energy & manufacturing companies and employees

Issue
DHS and the FBI released a TLP:AMBER report warning US energy sector and manufacturing companies about ongoing cyber operations.  These operations include sophisticated physical and cyber attacks, as well as activities targeting employees and operators with the aim of infiltrating air-gapped networks.

Impact
Our customers in the energy sector have seen scanning and attacks increase in the last month, but one interesting twist about the report is the targeting of individual employees in order to infiltrate secure networks.  Many details regarding the attacks are now known to the public, in part because an irresponsible organization shared a TLP:AMBER report with the press.  The approach of going after operators and employees to target secure networks is reminiscent of how GHCQ hacked into Belgicom’s NOC.
This warning comes almost one month since Robert Lee and his team at Dragos released their research on the  CRASHOVERRIDE malware, along with ESET’s analysis of Industroyer. Keep in mind that Robert Lee will be presenting details on CRASHOVERRIDE at Black Hat in just a few weeks.

Recommendations
Your key operations and security staff should be trained in operational security (opsec). Include physical security tests and targeting specific roles and personnel as part of your routine security assessments.

Additional Resources

News regarding recent hacking of nuclear plant:

CRASHOVERRIDE:
Historical piece on GCHQ targeting Belgicom employees: