View all newsletters
Receive our newsletter – data, insights and analysis delivered to you
  1. Leadership
  2. Strategy
April 6, 2018

Critical National Infrastructure Supply Chain under Sustained Attack: NCSC

The attack has been ongoing since March 2017.

By CBR Staff Writer

The UK’s National Cyber Security Council (NCSC) has warned of an ongoing attack campaign against multiple companies involved in the Critical National Infrastructure (CNI) supply chain – with the hostile attacks focused on engineering and industrial control companies.

The attack, ongoing since March 2017, has involved the harvesting of NTLM credentials via Server Message Block (SMB) using strategic web compromises and spear-phishing.
Target networks are attacked in one of two main ways, the NCSC said in a comprehensive advisory published on Thursday.

1 – The attacker carries out a watering hole attack, compromising a website of interest to the target, and adding a link to a resource located on a malicious fileserver.

2 – The attacker sends a spear-phishing email from a compromised account containing a document of interest. In several instances, stolen CVs have been used, which are configured to load a remote template from the malicious fileserver.

Running Inveigh PowerShell scripts – a publicly available SMB/HTTP man-in-the-middle tool – on the fileserver, the attacker then harvests all the NTLM hashes sent to it by the target hosts that are attempting to logon and load the various resources.

The attackers have been highlighted by threat intelligence companies and dubbed Berserk Bear, Energetic Bear, Dragonfly, Havex and Crouching Yeti.

Critical National Infrastructure Supply Chain under Sustained Attack: NCSC

Content from our partners
Incumbent banks must transform at speed, or miss the benefits of open banking
Leverage cloud and expertise to optimise engagements from onboarding to conclusion
How enterprises can best prepare for finance digitalisation


Piers Wilson, Head of Product Management at Huntsman Security, said in an emailed statement: “Organisations must accept that traditional defences – firewalls, anti-virus etc. are simply not enough and emphasis needs to shift away from just blocking attackers, to intelligent and rapid detection, containment and mitigation as soon as an attack begins. In the digital age, everyone – from the government and critical infrastructure organisations to businesses and charities – needs to accept that they can’t stop every attack at the boundary. Shifting focus will help to keep them and the rest of the UK safe.”

For mitigation, the NCSC listed the following approaches.

Mitigating Malware
Preventing Lateral Movement
Network Security
Management Interfaces
Incident Management

Websites in our network
NEWSLETTER Sign up Tick the boxes of the newsletters you would like to receive. Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
I consent to New Statesman Media Group collecting my details provided via this form in accordance with the Privacy Policy