VERY IMPORTANT

In the past year, the NCSC has noted widespread targeting of UK infrastructure devices by hostile state actors. This has primarily focused on engineering and industrial control companies and is ongoing. The targeting is focused on engineering and industrial control companies and has involved the harvesting of NTLM 1 credentials via Server Message Block (SMB) using strategic web compromises and spear-phishing. This advisory highlights the sustained risk to UK companies involved in these sectors, provides further details on the activity and offers guidance for any organisations affected. Further information on this activity was published on 15 March by the US Department of Homeland Security. The activity has also been highlighted previously by threat intelligence companies in open sources as Berserk Bear, Energetic Bear, Dragonfly, Havex and Crouching Yeti3.