In the alert, issued in October, the FBI and DHS report that the campaign is continuing with “threat actors actively pursuing their ultimate objectives over a long-term campaign”. There are two types of victim. The initial victims are peripheral organisations, such as trusted third-party suppliers with less secure networks. These “staging targets” are infiltrated via various means including spear-phishing emails and attacks on industrial control systems (ICSs).
The attackers then use the staging targets’ networks as pivot points and malware repositories to target their ultimate intended victims and to compromise their networks.
When they gain access to intended victims, the attackers look for files related to ICS or Scada systems such as those containing ICS vendor names and documents with names such as “Scada wiring diagram” or “Scada panel layout”.
The FBI/DHS document (Alert TA17-293A) contains recommendations on detecting and preventing these attacks.