Global cyber reconnaissance against the energy sector

Media panic du jour

National media has caused quite a self-generated sensation by splashing headlines that the U.S. Nuclear Power subsector has been hacked.  Without context or understanding the media has created another “the sky is falling” cyber event.  There’s a great difference between nuclear operational networks being compromised and somebody clicking a phishing email and infecting the front office, so let’s immediately set the record straight.  It was the front office.

And I could go into a pages-long tirade about the completely inappropriate, and possibly illegal, release of privileged, shared government/private sector information that appeared in the press.  Not only was it leaked along with identifying information, but third-party contractors at the affected site corroborated it!  Not sure how many nuclear power customers this contractor has, but I hope the plant managers vote with their wallets.  But I digress…

Smarter than the average bear

The bad guy(s) in this case are believed to be Russian.  ENERGETIC BEAR (aka DRAGONFLY, CROUCHNG YETI) Advanced Persistent Threat (APT) group is using old techniques but new droppers (CIA-stolen ETERNAL BLUE/SMB access tools) to deliver reconnaissance payloads for espionage and potential sabotage.

The ENERGETIC BEAR campaign has been stealthy and persistent, functioning since 2011. In very few cases did any adverse effect occur upon targeted networks – the malware lay silent and inactive.  Due to this approach, it is believed that the RATs have conducted reconnaissance and network mapping primarily against energy and pharmaceutical sectors. Additional payloads carried by the RATs conduct credential harvesting, allowing attackers to sign into networks as legitimate users and complicating detection and prevention.

What’s in that picnic basket?

ENERGETIC BEAR has been functioning since 2011.  Their primary tools are Remote Access Trojans (RAT).  RAT malware provides attackers with persistent access and control of compromised computers.  This access can be used for reconnaissance or potential access to sabotage networks and devices (Ukraine 2015 and 2016). ENERGETIC BEAR’S signature RAT is OLDREA, aka HAVEX.

HAVEX gathers system information, along with lists of files, programs installed, and root of available drives. It will also extract data from the computer’s Outlook address book and VPN configuration files. This data is then written to a temporary file in an encrypted format before being sent to a remote command-and-control (C&C) server controlled by the attackers. (SYMANTEC sourced).

HAVEX is custom malware, either written by the group itself or created for it. ENERGETIC BEAR uses a combination of commercially available malware and custom code.  Because of this mix it is difficult to determine the composition, sponsorship, or size of the adversary.  HAVEX and BLACKENERGY (used against Ukraine in 2015 and 2016) blur a line between State-sponsored espionage and criminal activity, complicating attribution.

ENERGETIC BEAR’s second tool KARGANY can upload stolen data, downloading new files, and running executable files on an infected computer.  It is also capable of running additional plugins, such as tools for collecting passwords, taking screenshots, and cataloguing documents on infected computers. Symantec found that most computers compromised by the attackers were infected with HAVEX. KARAGANY was only used in around 5% of infections. The two pieces of malware are similar in functionality and what prompts the attackers to choose one tool over another remains unknown.

Avoiding a cyber Boo-Boo

The Lockheed-Martin cyber kill chain phases are listed as reconnaissance, weaponization, delivery, exploitation, installation, command and control, and finally, action-on-target.  ENERGETIC BEAR has achieved steps through command and control in many systems throughout the world.  With the known exception of Ukraine and the BLACKENERGY APT, the action-on-target “attack” phase so far has been withheld by APTs.

Though no operational technology in the U.S. Energy Sector is known to have been compromised by ENERGETIC BEAR or other APTs, this should in no way be misinterpreted as an indication we are safe.  The stealthy nature and low-signature activity of the APT reconnaissance campaign makes detection difficult.  Reluctance to self-report (due to compliance, fines, reputation) may also lead to failures in identifying and sharing APT indicators of compromise.

While the National Critical Infrastructure defenders focus on operational technology, it is left to individual organizations to protect their business and administrative networks.  Degradation, damage, and/or destruction of these administrative networks can easily create an environment in which organizations are unable to function and provide products and services, leading to loss of revenue, customers, and independence from governmental oversight.