Earlier this week, the Department of Homeland Security (DHS) alerted critical infrastructure operators to the Russian hacking group known as “Energetic Bear,” or “Dragonfly,” as being behind an ongoing malware campaign primarily targeting the energy sector in the United States and Europe with the capability
to sabotage the power supply of the attacked countries.
DHS’s Industrial Control Systems Cyber Emergency Response Team (ICS-CERT), which works to reduce risks within and across all critical infrastructure sectors, issued the alert based on information received from two computer security companies, Symantec Corporation and Finland-based F-Secure. The companies indicated that Energetic Bear’s attacks primarily target the US and Spain, followed by France, Italy, Germany, Turkey and Poland.
“ICS-CERT strongly recommends that organizations check their network logs for activity associated with this campaign,” DHS said in an alert on its website. “Any organization experiencing activity related to this report should preserve available evidence for forensic analysis and future law enforcement purposes.”
While the attacks initially targeted the defense and aviation industry in the US and Canada, a recent report issued by Symantec indicated that in early 2013, the attacks shifted focus to the energy sector in the US and Europe. According to Symantec, the hacking group now targets “energy grid operators, major electricity generation firms, petroleum pipeline operators, and Energy industry industrial control system (ICS) equipment manufacturers.”
The only logical reasons behind targeting the energy sector, according to Adam Kujawa, head of Malware Intelligence at anti-malware company Malwarebytes, are to keep an eye on developments made to the energy grid in order to “identify if the economy and ability of the country has risen to a dangerous level” or to gain control of the energy grid in the event of a physical attack where the ability to control the power supply would give the attackers an advantage over their adversaries.
“Energy is one of the most valued and often relied upon resources in our society today,” Kujawa said. “If you were to remove that aspect of our lives it would most certainly throw the country into complete chaos, something that an offensive force might want to do rather than try and fight the full force of a country.”
When Symantec first began tracking the Russian hacking group, most of the attacks used spear phishing attempts which involved sending malicious PDF documents attached to emails to the targeted organizations. In 2013, however, the attackers switched tactics to include a new approach using watering hole attacks — attacks that compromise a website by placing malicious code within the page that will launch an attack on visitors — which enabled the hackers to compromise a number of energy-related websites.
“The fact that the attackers compromised multiple legitimate websites for each stage of the operation is further evidence that the group has strong technical capabilities,” Symantec said in its report.
The most ambitious attack vector employed by Energetic Bear targeted three different industrial control systems (ICS) equipment providers by inserting malware into the software bundles made available for download on the companies’ websites. In one case, the vendor did not discover the compromised software until after it had been downloaded 250 times.
“This attack makes clear the truth that many enterprises are breached but are unaware,” said Steve Hultquist, CIO/VP of Customer Success at RedSeal Networks, a provider of end-to-end network visibility and analytics to prevent cyberattacks. “It also makes it evident that even the most well-defended networks are subject to attack through human error and limited visibility.”
The two primary tools the hacking group uses are Remote Access Trojans (RAT) dubbed Backdoor, Oldrea (also known as Havex) and Karagany. RAT is a type malware that gives attackers the ability to access information on the victim’s computer networks as well as to steal data, collect passwords, take screenshots and even download and run files. The majority of the compromised computers were infected by Oldrea, which “acts as a back door for the attackers on to the victim’s computer, allowing them to extract data and install further malware.”
“The real threat associated with these attacks isn’t so much the malware but rather the infection vectors,” Kujawa said. “An attacker who is cunning enough and resourceful enough to make numerous different attempts at infecting individual targets is likely to reach users in places they would least expect.”
Researchers at California-based cybersecurity firm Crowdstrike linked the attacks to Energetic Bear back in 2012. Subsequently, in January 2014 they released a Global Threat Report publicizing the connection between Energetic Bear and the Russian Federation.
“Observed indicators obtained from monitoring this adversary’s activity suggest that Energetic Bear is operating out of Russia, or at least on behalf of Russia-based interests, and it is possible that their operations are carried out with the sponsorship or knowledge of the Russian state,” the Crowdstrike report said.
The Symantec report corroborated the connection between Energetic Bear and Russia made by Crowdstrike, but also indicated the Russian hacking campaign bears all the marks of a state-sponsored operation. The group has displayed a high-degree of technical capability, a range of malware tools and the capability to launch attacks on multiple vectors while compromising third party websites in the process.
Eric Chiu, president and co-founder of cloud control company Hytrust, warned that the rise of cyberattacks by alleged state-sponsored attackers like Energetic Bear indicates the need for government organizations and companies to “protect their data and networks from the inside-out.”
“Cyberattacks are on the rise — from nation-sponsored attacks and industrial espionage to cyber criminals out to steal personal data,” he said. “Based on this, nobody — corporations, government agencies and energy companies — is immune and security needs to be a top priority rather than an afterthought or insurance plan.”
And “Given this trend,” Chiu stressed, “all companies and government organizations should protect their data and networks from the inside-out, assuming the bad guy is already on the network. With that assumption in mind, critical systems should be protected using access controls, role-based monitoring, and data encryption.”
Energetic Bear’s attacks bear resemblance to Stuxnet, a virus allegedly created by the US and Israel that infected Iran’s Natanz nuclear facility in 2007 and destroyed roughly a fifth of Iran’s nuclear centrifuges. Although the attacks conducted by Energetic Bear originally looked solely like an espionage campaign, the hackers possess a range of malware tools and are capable of launching attacks on a number of different vectors, which gives the “attackers a beachhead in the targeted organizations’ networks,” as well as the ability “to mount sabotage operations.”
“Depending on how deep the attackers can get into the energy infrastructure, the damage could be great. Intelligence gained from cyber espionage could be very useful in the right hands and if passwords, IP addresses, usernames, etc. had been pulled from infected systems that could allow attackers onto more secure networks and therefore enable direct control of energy resources. The damage done would be very serious,” Kujawa said.
“The name ‘Energetic Bear’ appears to be well chosen — bears in the wild are fascinating from a distance, but if you think about the damage they can do to you, it gets pretty scary,” said Dr. Mike Lloyd, CTO at RedSeal Networks.
“Some may be grateful that these attacks were ‘only’ espionage, without exercising the immense ability to do harm that experts agree was possible here,” Lloyd said. “Even in the espionage situation, though, it’s troubling geo-politics if any country can gain an advantage in energy supply and distribution by waltzing in through the defenses of major energy companies.”
Lloyd said, “There is a nasty convergence happening as we speak: our lives are getting ever more dependent on reliable, secure availability of energy, but at the same time, the infrastructure of energy companies is getting more complicated. This complexity adds weakness, and multiplies the pathways attackers can exploit. Defenders need to be extra-vigilant, mapping out their attack surface and plugging holes before the next spy (or worse) infiltrates with ease — whether they use USB sticks left in the parking lot, infected menus of restaurants near facilities, infected third party software or access from compromised outside business partners (all of which we have seen recently).”
“This attack makes clear the truth that many enterprises are breached but are unaware,” RedSeal Networks’ Hultquist said. “It also makes it evident that even the most well-defended networks are subject to attack through human error and limited visibility. In this case, it took the attackers an investment in time and an orchestrated design to achieve their objectives, but they were willing to make that gamble and see it through. As this attack shows, effective defenses include not just perimeter efforts, but multi-layered security zoning plus ongoing automated analysis of the implementation of those zones to be sure that the network reflects those best practices. Being able to clearly see your network, its defenses, and the possible paths through it are a critical aspect of your enterprise defense efforts.”
“There are three logical reasons why this group would target the energy sector,” Kujawa said.
First, “To steal IP or at least keep an eye on what new developments are being made to the energy grid in these countries. Such information could be used to identify if the economy and ability of the country has risen to a dangerous level. At the same time, the energy sector could very well be a gateway into more secure avenues. Keeping communications about a country’s power “off-the-grid” is difficult considering the task at hand, and initiatives that might have originated on secure systems and networks within secretive agencies might show up on less secure systems.”
Second, he said, “The energy sector would be an ideal resource to control if there were to be some kind of physical attack against any of these countries. Being able to shut down power for various areas, which would prevent communication as well as any sort of counter attack, at least for a little while would be a great advantage to an invading force.”
And lastly, Kujawa said, “Energy is one of the most valued and often relied upon resources in our society today. If you were to remove that aspect of our lives it would most certainly throw the country into complete chaos, something that an offensive force might want to do rather than try and fight the full force of a country.”