Malicious hackers are using vulnerabilities in third party suppliers to gain access to government entities and critical infrastructure, according to a recent alert by the Department of Homeland Security’s United State’s Computer Emergency Readiness Team.

“Since at least May 2017, threat actors have targeted government entities and the energy, water, aviation, nuclear and critical manufacturing sectors, and, in some cases, have leveraged their capabilities to compromise victims’ networks,” the alert said. “This campaign comprises two distinct categories of victims: staging and intended targets. The initial victims are peripheral organizations such as trusted third party suppliers with less secure networks.”

According to the report, the hackers targeted specific third party organizations that they knew would provide access to government entities, then created fake credentials within that organization to give them access to the intended targets.

A DHS official told Federal Times that the hackers took information on industrial control systems and created illegitimate accounts within the targeted network. However, they are not yet using the information to access those systems, making the theft concerning but not an emergency situation.

“The threat actors leveraged compromised credentials to access victims’ networks where multi-factor authentication is not used,” the alert said. “Once inside of an intended target’s network, the threat actors downloaded tools from a remote server.”

The hackers used a variety of methods, including spear-phishing with information obtained from company websites, as well as watering hole attacks that used malicious code on legitimate sites to trick users into providing their credentials.

“Forensic analysis identified that threat actors are conducting open-source reconnaissance of their targets, gathering information posted on company-controlled websites,” the alert said. “This is a common tactic for collecting the information needed for targeted spear-phishing attempts. In some cases, information posted to company websites, especially information that may appear to be innocuous, may contain operationally sensitive information.”

According to a September Symantec report referenced in the alert, a group known as Dragonfly, originally in operation since 2011, resurfaced from inactivity in 2015 and has been targeting the energy sector.

× Need a daily brief? We've got you covered. Sign up to get the top Cyber headlines in your inbox every weekday morning. Thanks for signing up. By giving us your email, you are opting in to the Daily Brief.

“The Dragonfly group appears to be interested in both learning how energy facilities operate and also gaining access to operational systems themselves, to the extent that the group now potentially has the ability to sabotage or gain control of these systems should it decide to do so,” the Symantec report said.

Dragonfly targeted companies using emails with content very specific to the energy sector, along with general business concerns.

“As well as sending malicious emails, the attackers also used watering hole attacks to harvest network credentials, by compromising websites that were likely to be visited by those involved in the energy sector,” the Symantec report said. “The stolen credentials were then used in follow-up attacks against the target organizations. In one instance, after a victim visited one of the compromised servers, Backdoor.Goodor was installed on their machine via PowerShell 11 days later. Backdoor.Goodor provides the attackers with remote access to the victim’s machine.”

According to Symantec, the earlier behavior by Dragonfly combined with their behavior since 2015, indicates that the group may be moving from an intelligence-gathering campaign to a sabotage campaign.

“Sabotage attacks are typically preceded by an intelligence-gathering phase where attackers collect information about target networks and systems and acquire credentials that will be used in later campaigns. The most notable examples of this are Stuxnet and Shamoon, where previously stolen credentials were subsequently used to administer their destructive payloads,” the Symantec report said.” The original Dragonfly campaigns now appear to have been a more exploratory phase where the attackers were simply trying to gain access to the networks of targeted organizations. The Dragonfly 2.0 campaigns show how the attackers may be entering into a new phase, with recent campaigns potentially providing them with access to operational systems, access that could be used for more disruptive purposes in future.”

The US-CERT alert provided indicators of compromise for network administrator reference and recommended that they “review the IP addresses, domain names, file hashes, network signatures, and YARA rules provided and add the IPs to their watchlist to determine whether malicious activity has been observed within their organization.”