Guide to Russian Infrastructure Hacking

Uploaded on 2017-07-25 in TECHNOLOGY--Hackers, NEWS-Cybersecurity News, FREE TO VIEW

Since reports first surfaced that hackers targeted more than a dozen American energy utilities, including a Kansas nuclear power plant, the cybersecurity community has dug into the surrounding evidence to determine the culprits.

Without knowing the perpetrators, the campaign lends itself to a broad range of possibilities: a profit-seeking cyber-criminal scheme, espionage, or the first steps of hacker-induced blackouts like the ones that have twice afflicted Ukraine in the last two years.

Recently US officials solved at least part of that mystery, revealing to the Washington Post that the hackers behind the utility attacks worked for the Russian government. But that attribution raises a new question: Which of the Kremlin's hacker’s groups attempted the power grid intrusions?

Russia, after all, is perhaps the only nation in the world with multiple known hacker teams that have targeted energy utilities for years. Each has its own techniques, broader focus, and motivation, and deciphering which group is behind the attacks could help determine the intended endgame of this latest infrastructure hacking spree, too.

As the cyber-security world's Kremlinologists seek those answers, here's what we know about the groups that may have pulled it off.

Energetic Bear

The prime candidate among Russia's array of hacker teams is a group of cyber-spies most widely identified as Energetic Bear, but also known by names including DragonFly, Koala, and Iron Liberty. First spotted by the security firm Crowdstrike in 2014, the group initially seemed to indiscriminately hack hundreds of targets in dozens of countries since as early as 2010, using so-called "watering hole" attacks that infected websites and planted a Trojan called Havex on visitors' machines.

But it soon became clear that the hackers had a more specific focus: They also used phishing emails to target vendors of industrial control software, sneaking Havex into customer downloads. Security firm FireEye found in 2014 that the group breached at least four of those industrial control targets, potentially giving the hackers access to everything from power grid systems to manufacturing plants.

The group seemed at least in part focused on broad surveillance of the oil and gas industry, says Adam Meyers, Crowdstrike's vice president of intelligence. Energetic Bear's targets included everything from gas producers to firms that transported liquid gas and oil to energy financing companies. Crowdstrike also found the group's code contained Russian-language artifacts, and that it operated during Moscow business hours.

All of that suggests, Meyers argues, that the Russian government may have used the group to protect its own petrochemical industry and better wield its power as a fuel supplier. "If you threaten to turn off the gas to a country, you want to know how severe that threat is and how to properly leverage it," Meyers says.

But security firms noted that the group's targets included electric utilities, too, and some versions of Energetic Bear's malware had the capacity to scan industrial networks for infrastructure equipment, raising the possibility that it could have not just collected industry intelligence, but performed reconnaissance for future disruptive attacks.

"We think they were after control systems, and we don’t think there was a compelling intelligence reason for that," says John Hultquist, who leads a research team at FireEye. "You’re not doing that to learn the price of gas."

After security firms including Crowdstrike, Symantec, and others released a series of analyses of Energetic Bear's infrastructure in the summer of 2014, the group abruptly disappeared.

Sandworm

Only one Russian hacker group has actually caused real-world blackouts: Cybersecurity analysts widely believe the hacker team called Sandworm, also known as Voodoo Bear and Telebots, carried out attacks on Ukrainian electric utilities in 2015 and 2016 that cut off power to hundreds of thousands of people.

Despite that distinction, Sandworm's larger focus doesn't appear to be electric utilities or the energy sector. Instead it has spent the last three years terrorizing Ukraine, the country with which Russia has been at war since it invaded the Crimean Peninsula in 2014.

Aside from its two blackout attacks, the group has since 2015 rampaged through practically every sector of Ukrainian society, destroying hundreds of computers at media companies, deleting or permanently encrypting terabytes of data held by its government agencies, and paralyzing infrastructure including its railway ticketing system.

Cyber-security researchers including those at FireEye and ESET have also noted that the recent NotPetya ransomware epidemic that crippled thousands of networks in Ukraine and around the world matches Sandworm's history of infecting victims with "fake" ransomware that offers no real option to decrypt their files.

But amidst all that chaos, Sandworm has shown a special interest in power grids. FireEye has tied the group to a series of intrusions on American energy utilities discovered in 2014, which were infected with the same Black Energy malware Sandworm would later use in its Ukraine attacks.

FireEye also linked Sandworm with Russia based on Russian-language documents found on one of the group's command-and-control servers, a zero-day vulnerability the group used that had been presented at a Russian hacker conference, and its explicit Ukraine focus.

And security firms ESET and Dragos released an analysis last month of a piece of malware they call "Crash Override" or "Industroyer," a highly sophisticated, adaptable, and automated grid-disrupting piece of code used in Sandworm's 2016 blackout attack on one of the transmission stations of Ukraine's state energy company Ukrenergo.

Palmetto Fusion

The hackers behind the fresh series of attempted intrusions of US energy utilities remain far more mysterious than Energetic Bear or Sandworm. The group has hit energy utilities with "watering hole" and phishing attacks since 2015, with targets as far-flung as Ireland and Turkey in addition to the recently reported American firms, according to FireEye. But despite broad similarities to Energetic Bear, cybersecurity analysts have not yet definitively linked the group to either of the other known Russian grid hacking teams.

Sandworm, in particular, seems like an unlikely match. FireEye's John Hultquist notes that his researchers have tracked both the new group and Sandworm for several overlapping years, but have seen no common techniques or infrastructure in their operations.

And according to the Washington Post, US officials believe Palmetto Fusion to be an operation of Russia's secret services agency known as the FSB. Some researchers believe Sandworm works instead under the auspices of Russia's military intelligence group known as the GRU, due to its focus on Russia's military enemy Ukraine and some early targeting of NATO and military organizations.

Palmetto Fusion doesn't exactly share Energetic Bear's paw-prints, either, despite a New York Times' report tentatively linking the two. While both target the energy sector and use phishing and water hole attacks, Crowdstrike's Meyers says they don't share any of the same actual tools or techniques, hinting that the Fusion operation may be the work of a distinct group. Cisco's Talos research group, for instance, found that the new team used a combination of phishing and a trick using Microsoft's "server message block" protocol to harvest credentials from victims, a technique never seen from Energetic Bear.

But the timing of Energetic Bear's disappearance after its discovery in late 2014 and Palmetto Fusion's initial attacks in 2015 remains suspect. And that timeline may provide one sign that the groups are the same, but with new tools and techniques rebuilt to avoid any obvious connection.

After all, a group of attackers as methodical and prolific as Energetic Bear doesn't simply call it quits after having their cover blown. "These state intelligence agencies don’t give up because of a setback like that," says Tom Finney, a security researcher with the firm SecureWorks, which has also closely tracked Energetic Bear. "We’ve expected them to reappear at some point. This might be it."

Wired:

You Might Also Read:

Hackers Attempt To Penetrate US Nuclear Plants:

Putin Applauds Patriotic Russian Hackers:

Just Who Are Russia's Cyber Warriors?:

 

« The Insider Threat
US Needs To Get Its Data Ready For GDPR »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

CYRIN

CYRIN

CYRIN® Cyber Range. Real Tools, Real Attacks, Real Scenarios. See why leading educational institutions and companies in the U.S. have begun to adopt the CYRIN® system.

IT Governance

IT Governance

IT Governance is a leading global provider of information security solutions. Download our free guide and find out how ISO 27001 can help protect your organisation's information.

Perimeter 81 / How to Select the Right ZTNA Solution

Perimeter 81 / How to Select the Right ZTNA Solution

Gartner insights into How to Select the Right ZTNA offering. Download this FREE report for a limited time only.

DigitalStakeout

DigitalStakeout

DigitalStakeout enables cyber security professionals to reduce cyber risk to their organization with proactive security solutions, providing immediate improvement in security posture and ROI.

Cyber Security Supplier Directory

Cyber Security Supplier Directory

Our Supplier Directory lists 6,000+ specialist cyber security service providers in 128 countries worldwide. IS YOUR ORGANISATION LISTED?

Business Intelligence Associates (BIA)

Business Intelligence Associates (BIA)

BIA's TotalDiscovery is a defensible and cost-effective corporate preservation and legal compliance software solution.

Authenware

Authenware

AuthenWare delivers the highest level of identity security based on behavioral biometrics.

Joe Security

Joe Security

Joe Security specializes in the development of automated malware analysis systems for malware detection and forensics.

AEI Cybersecurity

AEI Cybersecurity

AEI brings together companies, Research Centres, Universities, and other organizations interested in promoting new cybersecurity technologies.

TUV Rheinland Group

TUV Rheinland Group

TUV Rheinland Group is a testing services company with nearly 145 years of technological experience. We help you to protect your systems comprehensively, proactively and permanently.

Applied Magnetics Laboratory (AML)

Applied Magnetics Laboratory (AML)

Applied Magnetics Laboratory is a manufacturer of military security and data destruction equipment for sensitive, classified, and secret information.

Google for Startups

Google for Startups

Google for Startups is Google’s initiative to help startups thrive across every corner of the world.

IntelliGenesis

IntelliGenesis

IntelliGenesis provide comprehensive cyber, data science, analysis, and software development services that provide tailored, secure solutions for your critical data and intelligence needs.

Evina

Evina

Evina offers the most advanced cybersecurity and fraud protection for mobile payment.

World Cyber Security Summit

World Cyber Security Summit

World Cyber Security Summit, by Trescon, is a thought-leadership driven platform for CISOs who are looking to explore new-age threats and the technologies/strategies that can help mitigate them.

Atlant Security

Atlant Security

Atlant Security is a cyber and IT security company offering consulting and implementation services.

BaXian Group

BaXian Group

BaXian AG is an international consulting company specializing in IT security, data analytics, risk management and compliance.

GM Sectec

GM Sectec

GM Sectec is the world's largest independent Cyber Defense and Fraud Prevention firm laser focused on payment security.

AI Spera

AI Spera

AI-Driven Cyber Threat Intelligence Security. AI Spera provides real-time intelligence to empower your security competences in all aspects of the business.

Information Systems Security Association (ISSA)

Information Systems Security Association (ISSA)

ISSA is the community of choice for international cybersecurity professionals dedicated to advancing individual growth, managing technology risk and protecting critical information and infrastructure.

Somos

Somos

From voice to messaging to fraud prevention and beyond, Somos are committed to developing innovative solutions that ensure that our ability to maintain trustworthy connections never stops.