The U.S. Department of Homeland Security and the Federal Bureau of Investigation have issued a rare joint statement warning that hackers are targeting firms in the energy, nuclear, water, aviation and critical manufacturing sectors.

The warning, issued last Thursday through the United States Computer Emergency Readiness Team, said malicious actors had been targeting the sectors in a range of attacks dating back to May and that those behind the attacks have managed to compromise some targeted networks. The warning said the attacks often consisted of multistage intrusion campaigns in which hackers first target low-security and smaller networks as a way to gain backdoor access to larger networks at major, high-value targets, particularly in the energy sector.

Those behind the attacks use a number of different stages to gain access to their targets, starting with open-source reconnaissance — that is, the process of gathering publicly available information. They deploy spear phishing campaigns that attempt to trick employees at a target company either to click on a malicious link or to provide further information.

Described in the report as “watering-hole domains,” the hackers are also identified as gaining access to, then changing, legitimate organization web pages to serve malicious scripts that allow them to gather more information on their target, including credential gathering. With that information on hand, the hackers then target industrial control systems, including those involved with the day-to-day running of the targeted company.

Neither DHS nor the FBI would comment further on the details of the hacking incidents mentioned in the warning. DHS spokesman Scott McConnell said only that “the technical alert provides recommendations to prevent and mitigate malicious cyber activity targeting multiple sectors and reiterated our commitment to remain vigilant for new threats.”

Those recommendations include encouraging network users and administrators in implement a range of “detection and prevention guidelines to help defend against this activity,” most of which would be obvious to large enterprise firms but perhaps not so much to smaller ones.

Network administrators are encouraged to implement network and host-based signatures, detection and prevention measures such as IP tracking and logging, persistence detection and perhaps the most obvious recommendation of them all: the implementation of security best practices.

Photo: Vikramdeep Sidhu/Wikimedia Commons