NSA: State-backed attackers are not after your data — they’re targeting CI – Source: securityboulevard.com

Companies in the crosshairs of advanced persistent threat (APT) actors look at data theft not as a primary objective of hacking crews backed by Russia, China and Iran — but rather as a means to an end, the U.S. National Security Agency (NSA) told attendees at the annual RSA Conference in San Francisco. 

NSA’s Cybersecurity Director, David Luber, said in an RSAC session called “State of the Hack” on Wednesday that, as result of this move by APT actors beyond data theft as a primary driver, companies need to look deeper and longer for signs of compromise than they might have previously assumed. That should include retaining logs for longer, and devoting more resources to analyzing their contents to spot irregularities, Luber said.

Luber was joined on stage by former NSA Cybersecurity Director Rob Joyce, who discussed the current state of exploitation across the internet, including observations about state-based actors and criminal entities.

Sophisticated state hackers that are targeting critical infrastructure and other high-value targets in the U.S. and elsewhere are more interested in long term persistence on sensitive networks, and in developing an intimate understanding of how those networks operate – rather than in espionage and the theft of sensitive intelligence, Joyce described to the audience. 

“They want to understand the topology and the capability of [Operational Technology] systems. [The goal is] to disrupt business processes at a time of their choosing.” 

—Rob Joyce

‘Think differently’ about how to look for evidence of compromises

Joyce said that the attackers the NSA is tracking often go quiet after establishing a presence in target environments, making them hard to detect among the noise of ordinary network activity. “They can burrow deep and come in every 15 or 20 days just to confirm that the (network) topology hasn’t changed significantly,” Joyce said. 

Furthermore, those check-ins by APT groups may take place using legitimate credentials from a compromised or hacker-controlled account and during normal business hours, making it far more difficult for organizations to flag suspicious behavior. That means organizations that are trained to look for telltale threat actor behaviors like data exfiltration, communications to command and control (C2) networks or sanctioned nations are unlikely to see any alarms triggered, Joyce said. 

In response, the current and former NSA Cybersecurity Directors urged attendees to “think differently” about how they look for evidence of compromises: retaining logs for much longer and devoting more attention to analyzing their contents for subtle signs of compromise. 

On May 1st, the NSA issued an “Urgent Warning” regarding threats to OT systems. In it, the NSA along with CISA, the FBI, the U.S. Department of Energy (DOE) and other agencies warned that “pro-Russia hacktivists are conducting malicious cyber activity against operational technology (OT) devices and critical infrastructure organizations.” The hacktivists are attacking and compromising what were described as “small-scale OT systems in North American and European Water and Wastewater Systems (WWS), dams, energy, and food and agriculture sectors.”

While those attacks were characterized as “unsophisticated,” the agencies warned that the threat actors “are capable of techniques that pose physical threats against insecure and misconfigured OT environments,” including manipulating human-machine interfaces (HMIs) used to control water pumps and blower equipment, in order to make them exceed their normal operating parameters, turning of alerts and warnings and changing administrative passwords to lock out the operators. 

Luber declined to speak in detail about specific incidents, but said sectors like transportation, energy and government agencies are all being targeted. Joyce added that organizations that had “capabilities that might help the U.S. military mobilize to Southeast Asia” were particular targets of nation-state actors, and should be on alert. 

State-backed APT actors are also targeting civilian infrastructure

State actors are also exploiting weaknesses in civilian infrastructure in the U.S., Europe and other nations to further their campaign. For example, Chinese APT groups like Volt Typhoon have exploited unsupported and “end of life” small office and home office (SOHO) broadband routers and other edge devices, assembling massive botnets that are used to disguise the origins of malicious attacks.

That means security teams looking for traffic to and from systems in China, Russia or other sanctioned countries as evidence of a compromise may be surprised to see attacks coming from residential IP addresses within their country, instead.

“No professional group is going straight out of those countries.”

—Rob Joyce

*** This is a Security Bloggers Network syndicated blog from ReversingLabs Blog authored by Paul Roberts. Read the original post at: https://www.reversinglabs.com/blog/nsa-state-backed-attackers-are-not-after-your-data-theyre-targeting-ci