dhs_report_ta18_074a.yml

name: DHS Report TA18-074A
id: 0c016e5c-88be-4e2c-8c6c-c2b55b4fb4ef
version: 2
date: '2020-01-22'
author: Rico Valdez, Splunk
description: Monitor for suspicious activities associated with DHS Technical Alert
  US-CERT TA18-074A. Some of the activities that adversaries used in these compromises
  included spearfishing attacks, malware, watering-hole domains, many and more.
narrative: 'The frequency of nation-state cyber attacks has increased significantly
  over the last decade. Employing numerous tactics and techniques, these attacks continue
  to escalate in complexity. \

  There is a wide range of motivations for these state-sponsored hacks, including
  stealing valuable corporate, military, or diplomatic dataѿall of which could
  confer advantages in various arenas. They may also target critical infrastructure.
  \

  One joint Technical Alert (TA) issued by the Department of Homeland and the FBI
  in mid-March of 2018 attributed some cyber activity targeting utility infrastructure
  to operatives sponsored by the Russian government. The hackers executed spearfishing
  attacks, installed malware, employed watering-hole domains, and more. While they
  caused no physical damage, the attacks provoked fears that a nation-state could
  turn off water, redirect power, or compromise a nuclear power plant.\

  Suspicious activities--spikes in SMB traffic, processes that launch netsh (to modify
  the network configuration), suspicious registry modifications, and many more--may
  all be events you may wish to investigate further. While the use of these technique
  may be an indication that a nation-state actor is attempting to compromise your
  environment, it is important to note that these techniques are often employed by
  other groups, as well.'
references:
- https://www.us-cert.gov/ncas/alerts/TA18-074A
tags:
  analytic_story: DHS Report TA18-074A
  category:
  - Malware
  product:
  - Splunk Enterprise
  - Splunk Enterprise Security
  - Splunk Cloud
  usecase: Advanced Threat Detection