Experts revealed details about cyberattacks at a power plant in the US

12 July 2017, 09:07 | Technologies 
фото с InternetUA

Last week, the media reported on the investigation of cyber attacks on the US energy and nuclear sectors, in the implementation of which Russia is suspected. The excitement arose after the US Department of Homeland Security and the FBI sent out warnings to energy companies about intensified hacking activity.

The main suspect in the attacks is the Energetic Bear grouping, also known as Dragonfly and Crouching Yeti. The group has been active since 2010 and has been attacking enterprises in the electricity sector since at least 2014. Many decided that the attacks, which warned the US authorities, are similar to attacks on Ukrainian electricity companies, which caused the de-energization of entire city areas in 2015-2016. During the attacks, special malicious software BlackEnergy (2015) and Industroyer (2016) were used,.

About what the danger actually represents attacks on US companies, said experts Cisco Talos on Friday, July 7. According to experts, we are talking about phishing mailings, with the help of which hackers tried to steal credentials for authorization in local networks.

Since May 2017, Energetic Bear has been sending out malicious e-mails to employees of electricity companies with DOCX files disguised as job seekers' resumes. As the original analysis showed, the attached files were harmless, since they did not contain any macros or exploits. However, by chance, the researchers suddenly found something suspicious. Experts drew attention to an interesting status message when you download Microsoft Office. Thanks to him, the researchers saw that the DOCX-file silently downloaded a Word template from a remote server.

As further research showed, the DOCX file tried to connect to a remote SMB server. By connecting a local host to a remote SMB server, the attackers attempted to deceive computer credentials from the computer in a fraudulent manner. This focus is by no means new and has long been used by hackers.

According to experts, at the time of the study, most of the servers and infrastructure used in the attacks have already been disabled, which means that hackers tried to replace their tracks as soon as possible.

Источник: InternetUA
© 2009 - 2025 NewsMe. All rights reserved.
The site administration is not responsible for information what put in, as well as its reliability. Use material NewsMe permitted only for reference (for internet issues - hyperlinks) on NewsMe.com.ua.

Наши проекты: