Hackers Target Energy Firms'Energetic Bear' Attack Gains Remote Control Capability
Attackers with apparent ties to Russia are behind a long-running hacking campaign dubbed "Energetic Bear," targeting U.S. and Western European energy firms.
One of the group's more insidious attack techniques is to reach intended targets by infecting energy industry software vendors' updates with malware. This type of "watering hole" attack -- hacking into a site to distribute "Trojanized" updates -- was seen as recently as April 2014. According to Finnish security firm F-Secure, PCs infected by Energetic Bear were being actively managed by attackers as recently as June 23.
Symantec, which calls the hacking group "Dragonfly," first spotted related attacks in 2011. "Dragonfly initially targeted defense and aviation companies in the U.S. and Canada before shifting its focus to U.S. and European energy firms in early 2013," says Symantec.
To infect victims, Energetic Bear has long relied on phishing emails, plus exploit kits that redirect PCs to malicious websites. Last year, however, the group began hacking into industrial control systems vendors' update sites and Trojanizing legitimate software updates by infecting them with malware, says Symantec. Once users download and run the Trojanized updaters, attackers potentially then gain backdoor access to the organization's network, as well as its supervisory control and data acquisition industrial control software.
To date, says Symantec, the Trojanized software attacks have compromised a VPN access tool for programmable logic controller devices - the update was downloaded by customers 250 times before the compromise was detected; a device driver for a European PLC manufacturer; and in April 2014, software used to manage "wind turbines, biogas plants, and other energy infrastructure."
Most Targeted: Spain, U.S.
Based on attackers' command-and-control activities, the greatest number of organizations targeted by attackers are in Spain and the United States, says Symantec. A lesser number of infections have also been seen in France, Italy, Germany, Turkey, Poland, Romania, Greece and Serbia.
F-Secure recently traced back the IP addresses of PCs infected by the group and found "all ... are associated in some way with the development or use of industrial applications or machines." While most are based in Europe -- including French and German educational or manufacturing organizations, as well as one Russian structural engineering firm -- one infected organization is in California.
Energetic Bear's attacks are being tracked in part through its use of remote-access tools. The most-often used tool is Havex (a.k.a. Oldrea, Energetic Bear RAT), which gives attackers back-door access to infected PCs, allowing them to exfiltrate data. Havex appears to have been custom-built by or for the group. Infections are managed by a dedicated C&C server, which can push additional payloads to infected PCs, giving attackers more functionality.
To a much lesser extent, the group also relies on a Russian-built Trojan named Karagany, which is commercially available via the cybercrime underground, although the source code for the first version of tool was leaked in 2010. According to Symantec, "Dragonfly may have taken this source code and modified for its own use."
While that Trojan has only been seen in about 5 percent of all Energetic Bear attack campaigns, that doesn't mean it hasn't been successful. "The Trojan Karagany was previously identified by Cisco as part of another watering hole attack targeting energy and oil sectors," according to a June 30 U.S. Industrial Control System CERT security advisory.
'I Haz SCADA?'
ICS-CERT warns that one Havex payload now being used by attackers "enumerates all connected network resources, such as computers or shared resources," by using an Open Platform Communications standard." It adds that attackers' OPC communications sometimes crash infected systems.
Using an OPC client allows the attackers to identify the make and model of any industrial control systems that connect to an infected PC. "It allows attackers to gather the necessary information on connected ICS devices to select appropriate payloads and perform a successful follow-on attack," says Michael Assante, who teaches cyber-skills development for SANS Institute, in a recent SANS newsletter.
"This is an intelligent way an adversary could ask (in their own tongue): 'do I haz SCADA?' says Naval Postgraduate School associate professor William Hugh Murray in the SANS newsletter. "It's likely that more future malware will include SCADA/ICS identification functionality."
Attackers Gain Control
With these capabilities, Symantec warns attackers could have sabotaged countries' energy supplies. "Their current motive is cyber-espionage and obtaining persistent access," Eric Chien, technical director for Symantec Security Response, tells Information Security Media Group. "With such access, sabotage is a possible additional capability."
F-Secure likewise says attackers have specifically given themselves the ability to modify SCADA systems. "The attackers are not just interested in compromising the networks of companies they are interested in, but are also motivated in having control of the ICS/SCADA systems in those organizations," says F-Secure. "The source of this motivation is unclear to us."
Russian Connection Eyed
Last year, threat intelligence firm CrowdStrike said Energetic Bear is being run from Russia.
Still, "the relationship between the state and the attackers is always a little murky at best," warns Allan Friedman, research scientist at George Washington University and co-author of the recently published book, Cybersecurity and Cyberwar: What Everyone Needs to Know.
While Symantec has declined to name names, "the attacks do have the hallmarks of a state-sponsored operation," says Chien. "The attackers are well-resourced, with a high degree of technical capability, and have a lot of tools at their disposal. Their targets are of strategic interest. The motivations do not appear to be cybercrime for economic profit."
"Extortion, from an organized crime perspective, is always an option," says Chris Blask, chair of the ICS Information Sharing and Analysis Center.
But sabotage would be unlikely, says Adam Kujawa, head of malware intelligence at Malwarebytes. "I don't expect Russia or any country really to attack the U.S. with a massive cyber-attack that precursors a physical attack, so it's most likely just to keep tabs on innovations and probably steal IP for the sake of economic gain," he says. "However, it isn't unheard of for Russia to use cyber-attacks against countries they are attacking."
To blunt Energetic Bear's attacks, ICS-CERT has called on ICS vendors to begin digitally signing their code, so customers can spot updater tampering.
(News writer Jeffrey Roman contributed to this story.)