Hackers are targeting companies connected to the UK’s critical national infrastructure, the National Cyber Security Centre (NCSC) has warned.
The campaign against critical national infrastructure (CNI) has been taking place since at least March 2017 and is ongoing, according to an industry advisory notice circulated by the NCSC.
Cybersecurity companies which have identified very similar campaigns include Symantec, BAE Systems and Kaspersky Labs, who have suggested that the hackers may be based in Eastern Europe.
The hacking group is believed to conducting a cyber espionage campaign covering a broad range of targets connected to CNI through supply chain attacks.
Such attacks target computers which are not directly connected to the ultimate target’s network and are a technique for compromising victims who might have very thorough security at their immediate perimeter.
In January, NCSC head Ciaran Martin said it was a matter of “when, not if” the UK was victim to a category one cyberattack targeting CNI.
The ultimate aim of such attacks is most often assumed to be sabotage, but the nature of an implant within a computer system means that it can be used to look into the system’s workings as well as disrupt them.
The hackers have been aiming to infect engineering and industrial control companies by strategically compromising particular websites in “watering hole” attacks, where they add a link to a resource located on a malicious file server.
Spear-phishing emails have also been detected, often including stolen CVs which are loaded with malware to take control of the victim’s computer.
Dr Adrian Nish, the head of Threat Intelligence at BAE Systems Applied Intelligence told Sky News: “This is a classic supply-chain attack – where the culprits hack into small companies initially and use them as stepping stones in targeting larger organisations.
“The larger organisations would typically be customers of theirs, hence an inherent trust relationship already exists.
“Here the attackers are focused on the energy sector as their end targets, and leverage engineering firms supplying specialist technology to stage further attacks – either via email, compromising their websites, or even placing malware into software updates.
“It is widespread activity, though focused on Western Europe, the UK, and US. This is not a new campaign, but supply chain vulnerabilities represent an ongoing risk to organisations,” Dr Nish added.
Kaspersky Lab suggested that because the adversary was not deploying zero-day exploits (exploits which had never been seen before, leaving security researchers with “zero days” to respond to them), it was not a very sophisticated campaign.
However, Symantec noted that part of a similar threat actor’s methodology meant that it was not possible to definitively identify its origins – suggesting that the group wants to make it difficult to identify who is behind the campaign.
The company described the threat actor it has identified as an “accomplished attack group” which has carried out “targeted attacks on energy sector targets since at least 2011”.