Media panic du jourNational media has caused quite a self-generated sensation by splashing headlines that the U.S. Nuclear Power subsector has been hacked.\u00a0 Without context or understanding the media has created another \u201cthe sky is falling\u201d cyber event.\u00a0 There\u2019s a great difference between nuclear operational networks being compromised and somebody clicking a phishing email and infecting the front office, so let\u2019s immediately set the record straight.\u00a0 It was the front office.And I could go into a pages-long tirade about the completely inappropriate, and possibly illegal, release of privileged, shared government\/private sector information that appeared in the press.\u00a0 Not only was it leaked along with identifying information, but third-party contractors at the affected site corroborated it!\u00a0 Not sure how many nuclear power customers this contractor has, but I hope the plant managers vote with their wallets.\u00a0 But I digress\u2026Smarter than the average bearThe bad guy(s) in this case are believed to be Russian.\u00a0 ENERGETIC BEAR (aka DRAGONFLY, CROUCHNG YETI) Advanced Persistent Threat (APT) group is using old techniques but new droppers (CIA-stolen ETERNAL BLUE\/SMB access tools) to deliver reconnaissance payloads for espionage and potential sabotage.The ENERGETIC BEAR campaign has been stealthy and persistent, functioning since 2011. In very few cases did any adverse effect occur upon targeted networks - the malware lay silent and inactive.\u00a0 Due to this approach, it is believed that the RATs have conducted reconnaissance and network mapping primarily against energy and pharmaceutical sectors. Additional payloads carried by the RATs conduct credential harvesting, allowing attackers to sign into networks as legitimate users and complicating detection and prevention.What\u2019s in that picnic basket?ENERGETIC BEAR has been functioning since 2011.\u00a0 Their primary tools are Remote Access Trojans (RAT).\u00a0 RAT malware provides attackers with persistent access and control of compromised computers.\u00a0 This access can be used for reconnaissance or potential access to sabotage networks and devices (Ukraine 2015 and 2016). ENERGETIC BEAR'S signature RAT is OLDREA, aka HAVEX.HAVEX gathers system information, along with lists of files, programs installed, and root of available drives. It will also extract data from the computer\u2019s Outlook address book and VPN configuration files. This data is then written to a temporary file in an encrypted format before being sent to a remote command-and-control (C&C) server controlled by the attackers. (SYMANTEC sourced).HAVEX is custom malware, either written by the group itself or created for it. ENERGETIC BEAR uses a combination of commercially available malware and custom code.\u00a0 Because of this mix it is difficult to determine the composition, sponsorship, or size of the adversary.\u00a0 HAVEX and BLACKENERGY (used against Ukraine in 2015 and 2016) blur a line between State-sponsored espionage and criminal activity, complicating attribution.ENERGETIC BEAR's second tool KARGANY can upload stolen data, downloading new files, and running executable files on an infected computer.\u00a0 It is also capable of running additional plugins, such as tools for collecting passwords, taking screenshots, and cataloguing documents on infected computers. Symantec found that most computers compromised by the attackers were infected with HAVEX. KARAGANY was only used in around 5% of infections. The two pieces of malware are similar in functionality and what prompts the attackers to choose one tool over another remains unknown.Avoiding a cyber Boo-BooThe Lockheed-Martin cyber kill chain phases are listed as reconnaissance, weaponization, delivery, exploitation, installation, command and control, and finally, action-on-target.\u00a0 ENERGETIC BEAR has achieved steps through command and control in many systems throughout the world.\u00a0 With the known exception of Ukraine and the BLACKENERGY APT, the action-on-target "attack" phase so far has been withheld by APTs.Though no operational technology in the U.S. Energy Sector is known to have been compromised by ENERGETIC BEAR or other APTs, this should in no way be misinterpreted as an indication we are safe.\u00a0 The stealthy nature and low-signature activity of the APT reconnaissance campaign makes detection difficult.\u00a0 Reluctance to self-report (due to compliance, fines, reputation) may also lead to failures in identifying and sharing APT indicators of compromise.While the National Critical Infrastructure defenders focus on operational technology, it is left to individual organizations to protect their business and administrative networks.\u00a0 Degradation, damage, and\/or destruction of these administrative networks can easily create an environment in which organizations are unable to function and provide products and services, leading to loss of revenue, customers, and independence from governmental oversight.