DHS Report TA18-074A
Description
Monitor for suspicious activities associated with DHS Technical Alert US-CERT TA18-074A. Some of the activities that adversaries used in these compromises included spearfishing attacks, malware, watering-hole domains, many and more.
- Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
- Datamodel: Endpoint, Network_Traffic
- Last Updated: 2020-01-22
- Author: Rico Valdez, Splunk
- ID: 0c016e5c-88be-4e2c-8c6c-c2b55b4fb4ef
Narrative
The frequency of nation-state cyber attacks has increased significantly over the last decade. Employing numerous tactics and techniques, these attacks continue to escalate in complexity. There is a wide range of motivations for these state-sponsored hacks, including stealing valuable corporate, military, or diplomatic dataѿall of which could confer advantages in various arenas. They may also target critical infrastructure. One joint Technical Alert (TA) issued by the Department of Homeland and the FBI in mid-March of 2018 attributed some cyber activity targeting utility infrastructure to operatives sponsored by the Russian government. The hackers executed spearfishing attacks, installed malware, employed watering-hole domains, and more. While they caused no physical damage, the attacks provoked fears that a nation-state could turn off water, redirect power, or compromise a nuclear power plant. Suspicious activities–spikes in SMB traffic, processes that launch netsh (to modify the network configuration), suspicious registry modifications, and many more–may all be events you may wish to investigate further. While the use of these technique may be an indication that a nation-state actor is attempting to compromise your environment, it is important to note that these techniques are often employed by other groups, as well.
Detections
Reference
source | version: 2