The Treasury Department announced new economic sanctions today on the Russian Federation and on individuals and organizations implicated in interference with the 2016 US presidential elections—just as the Department of Homeland Security released a new warning of new "Russian government cyber activity" aimed at the US government and US critical infrastructure providers.

The sanctions are being carried out as part of an amendment to the Executive Order signed by President Barack Obama in 2015. The Trump administration imposed the new sanctions—the first the administration has imposed under the Countering America's Adversaries Through Sanctions Act (CAATSA), which was passed by Congress last year—a month after officially blaming Russian intelligence for the NotPetya worm.

Treasury Secretary Steven Mnuchin announced the sanctions, explaining that "the administration is confronting and countering malign Russian cyber activity, including their attempted interference in US elections, destructive cyber-attacks, and intrusions targeting critical infrastructure." The new sanctions, he said, are part of "a broader effort to address the ongoing nefarious attacks emanating from Russia. Treasury intends to impose additional CAATSA sanctions, informed by our intelligence community, to hold Russian government officials and oligarchs accountable for their destabilizing activities by severing their access to the US financial system."

The election interference, the NotPetya attack, and the nerve-agent attack against a former Russian spy in Britain were cited as the reasons for the new sanctions, along with Russia's actions in Crimea and Ukraine. The new sanctions are aimed at officials of Russia's GRU intelligence agency, as well as at people and organizations indicted by Special Counsel Robert Mueller's investigation: the Internet Research Agency (IRA), Concord Management and Consulting, Concord Catering, and their owner Yevgeny Prigozhin—the man known as "Putin's Chef"—as well as 12 other individuals tied to IRA.

Meanwhile, the Federal Bureau of Investigations and DHS have identified a widespread "multi-stage intrusion campaign," as DHS officials noted in a technical alert published today. The campaign has been active since "at least March 2016," the report noted, targeting "government entities and multiple US critical infrastructure sectors, including the energy, nuclear, commercial facilities, water, aviation, and critical manufacturing sectors."

The attacks have used "spear-phishing" emails containing malicious Microsoft Word files against individuals in targeted organizations. The .docx files were loaded with scripts that use a Microsoft Office script that attempts to retrieve a shared file from a server via a Server Message Block (SMB) request. The request, regardless of whether the file existed or not, could trigger an authentication request from the server to the client, allowing the malicious attachment's script to capture a hash of the user's credentials. The script also installed credential-harvesting tools, including Hydra and CrackMapExec, to try to extract the username and password.

Another type of attack, using some of the same approaches, used "watering hole" attacks—targeting legitimate websites to execute malicious JavaScript and PHP scripts that also leverage the SMB request method to obtain credentials, requesting an image file on a remote system with a "file://" URL.

To compromise the sites used to stage their watering-hole attacks, the attackers have used additional spear-phishing emails that contain a .pdf labeled as some sort of contract agreement. The .pdf, entitled ``document.pdf (the name includes the two accent marks), included a shortened URL that, when clicked, opened a webpage requesting an email address and password. The .pdf itself didn't execute a malware download, but the webpage—reached through a long chain of redirects—did.

Once credentials were in hand, the attackers used them to gain access to systems where two-factor authentication wasn't used. They then installed a Tomcat server and a Java Server Pages file, symantec_help.jsp, along with a Windows script named enu.cmd, to give them persistent access to the systems. The files were consistently stored in the directory C:Program Files(x86)\Symantec\Symantec Endpoint Protection Manater\tomcat\webapps\ROOT. The attackers would then install Windows .aspx-based Web shells to get remote access.

The JSP executes the script, which then attempts to create a local administrator account on the system and change the firewall settings on the targeted system. Malicious Windows .lnk files linking to remote resources and changes to the Windows registry were also used to establish a persistent presence on targeted systems.