Guide to Russian Infrastructure Hacking

Since reports first surfaced that hackers targeted more than a dozen American energy utilities, including a Kansas nuclear power plant, the cybersecurity community has dug into the surrounding evidence to determine the culprits.

Without knowing the perpetrators, the campaign lends itself to a broad range of possibilities: a profit-seeking cyber-criminal scheme, espionage, or the first steps of hacker-induced blackouts like the ones that have twice afflicted Ukraine in the last two years.

Recently US officials solved at least part of that mystery, revealing to the Washington Post that the hackers behind the utility attacks worked for the Russian government. But that attribution raises a new question: Which of the Kremlin's hacker’s groups attempted the power grid intrusions?

Russia, after all, is perhaps the only nation in the world with multiple known hacker teams that have targeted energy utilities for years. Each has its own techniques, broader focus, and motivation, and deciphering which group is behind the attacks could help determine the intended endgame of this latest infrastructure hacking spree, too.

As the cyber-security world's Kremlinologists seek those answers, here's what we know about the groups that may have pulled it off.

Energetic Bear

The prime candidate among Russia's array of hacker teams is a group of cyber-spies most widely identified as Energetic Bear, but also known by names including DragonFly, Koala, and Iron Liberty. First spotted by the security firm Crowdstrike in 2014, the group initially seemed to indiscriminately hack hundreds of targets in dozens of countries since as early as 2010, using so-called "watering hole" attacks that infected websites and planted a Trojan called Havex on visitors' machines.

But it soon became clear that the hackers had a more specific focus: They also used phishing emails to target vendors of industrial control software, sneaking Havex into customer downloads. Security firm FireEye found in 2014 that the group breached at least four of those industrial control targets, potentially giving the hackers access to everything from power grid systems to manufacturing plants.

The group seemed at least in part focused on broad surveillance of the oil and gas industry, says Adam Meyers, Crowdstrike's vice president of intelligence. Energetic Bear's targets included everything from gas producers to firms that transported liquid gas and oil to energy financing companies. Crowdstrike also found the group's code contained Russian-language artifacts, and that it operated during Moscow business hours.

All of that suggests, Meyers argues, that the Russian government may have used the group to protect its own petrochemical industry and better wield its power as a fuel supplier. "If you threaten to turn off the gas to a country, you want to know how severe that threat is and how to properly leverage it," Meyers says.

But security firms noted that the group's targets included electric utilities, too, and some versions of Energetic Bear's malware had the capacity to scan industrial networks for infrastructure equipment, raising the possibility that it could have not just collected industry intelligence, but performed reconnaissance for future disruptive attacks.

"We think they were after control systems, and we don’t think there was a compelling intelligence reason for that," says John Hultquist, who leads a research team at FireEye. "You’re not doing that to learn the price of gas."

After security firms including Crowdstrike, Symantec, and others released a series of analyses of Energetic Bear's infrastructure in the summer of 2014, the group abruptly disappeared.

Sandworm

Only one Russian hacker group has actually caused real-world blackouts: Cybersecurity analysts widely believe the hacker team called Sandworm, also known as Voodoo Bear and Telebots, carried out attacks on Ukrainian electric utilities in 2015 and 2016 that cut off power to hundreds of thousands of people.

Despite that distinction, Sandworm's larger focus doesn't appear to be electric utilities or the energy sector. Instead it has spent the last three years terrorizing Ukraine, the country with which Russia has been at war since it invaded the Crimean Peninsula in 2014.

Aside from its two blackout attacks, the group has since 2015 rampaged through practically every sector of Ukrainian society, destroying hundreds of computers at media companies, deleting or permanently encrypting terabytes of data held by its government agencies, and paralyzing infrastructure including its railway ticketing system.

Cyber-security researchers including those at FireEye and ESET have also noted that the recent NotPetya ransomware epidemic that crippled thousands of networks in Ukraine and around the world matches Sandworm's history of infecting victims with "fake" ransomware that offers no real option to decrypt their files.

But amidst all that chaos, Sandworm has shown a special interest in power grids. FireEye has tied the group to a series of intrusions on American energy utilities discovered in 2014, which were infected with the same Black Energy malware Sandworm would later use in its Ukraine attacks.

FireEye also linked Sandworm with Russia based on Russian-language documents found on one of the group's command-and-control servers, a zero-day vulnerability the group used that had been presented at a Russian hacker conference, and its explicit Ukraine focus.

And security firms ESET and Dragos released an analysis last month of a piece of malware they call "Crash Override" or "Industroyer," a highly sophisticated, adaptable, and automated grid-disrupting piece of code used in Sandworm's 2016 blackout attack on one of the transmission stations of Ukraine's state energy company Ukrenergo.

Palmetto Fusion

The hackers behind the fresh series of attempted intrusions of US energy utilities remain far more mysterious than Energetic Bear or Sandworm. The group has hit energy utilities with "watering hole" and phishing attacks since 2015, with targets as far-flung as Ireland and Turkey in addition to the recently reported American firms, according to FireEye. But despite broad similarities to Energetic Bear, cybersecurity analysts have not yet definitively linked the group to either of the other known Russian grid hacking teams.

Sandworm, in particular, seems like an unlikely match. FireEye's John Hultquist notes that his researchers have tracked both the new group and Sandworm for several overlapping years, but have seen no common techniques or infrastructure in their operations.

And according to the Washington Post, US officials believe Palmetto Fusion to be an operation of Russia's secret services agency known as the FSB. Some researchers believe Sandworm works instead under the auspices of Russia's military intelligence group known as the GRU, due to its focus on Russia's military enemy Ukraine and some early targeting of NATO and military organizations.

Palmetto Fusion doesn't exactly share Energetic Bear's paw-prints, either, despite a New York Times' report tentatively linking the two. While both target the energy sector and use phishing and water hole attacks, Crowdstrike's Meyers says they don't share any of the same actual tools or techniques, hinting that the Fusion operation may be the work of a distinct group. Cisco's Talos research group, for instance, found that the new team used a combination of phishing and a trick using Microsoft's "server message block" protocol to harvest credentials from victims, a technique never seen from Energetic Bear.

But the timing of Energetic Bear's disappearance after its discovery in late 2014 and Palmetto Fusion's initial attacks in 2015 remains suspect. And that timeline may provide one sign that the groups are the same, but with new tools and techniques rebuilt to avoid any obvious connection.

After all, a group of attackers as methodical and prolific as Energetic Bear doesn't simply call it quits after having their cover blown. "These state intelligence agencies don’t give up because of a setback like that," says Tom Finney, a security researcher with the firm SecureWorks, which has also closely tracked Energetic Bear. "We’ve expected them to reappear at some point. This might be it."

Wired:

You Might Also Read:

Hackers Attempt To Penetrate US Nuclear Plants:

Putin Applauds Patriotic Russian Hackers:

Just Who Are Russia's Cyber Warriors?:

 

« The Insider Threat
US Needs To Get Its Data Ready For GDPR »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

ON-DEMAND WEBINAR: What Is A Next-Generation Firewall (and why does it matter)?

ON-DEMAND WEBINAR: What Is A Next-Generation Firewall (and why does it matter)?

Watch this webinar to hear security experts from Amazon Web Services (AWS) and SANS break down the myths and realities of what an NGFW is, how to use one, and what it can do for your security posture.

ManageEngine

ManageEngine

As the IT management division of Zoho Corporation, ManageEngine prioritizes flexible solutions that work for all businesses, regardless of size or budget.

The PC Support Group

The PC Support Group

A partnership with The PC Support Group delivers improved productivity, reduced costs and protects your business through exceptional IT, telecoms and cybersecurity services.

Syxsense

Syxsense

Syxsense brings together endpoint management and security for greater efficiency and collaboration between IT management and security teams.

MIRACL

MIRACL

MIRACL provides the world’s only single step Multi-Factor Authentication (MFA) which can replace passwords on 100% of mobiles, desktops or even Smart TVs.

Pen Test Partners LLP

Pen Test Partners LLP

Pen Test Partners provides penetration testing, security assessment and training services.

IX Associates

IX Associates

IX Associates is a UK based IT Integration business specialising in risk, compliance, eDefence, and network security solutions.

Parasoft

Parasoft

Parasoft is an independent software testing and software quality assurance tool and solution vendor.

IT Association of Slovakia (ITAS)

IT Association of Slovakia (ITAS)

ITAS is a professional association of domestic and foreign companies operating in the field of information and communication technologies

Dionach

Dionach

Dionach are a certified information security specialists who provide Penetration Testing, IT Security Auditing and Information Security Consultancy.

International Federation of Robotics (IFR)

International Federation of Robotics (IFR)

The International Federation of Robotics connects the world of robotics around the globe. Our members come from the robotics industry, industry associations and research & development institutes.

Bounga Informatics

Bounga Informatics

Bounga Informatics provides Digital Forensics, E-Discovery, and Endpoint Security software, hardware, and training in Singapore and other countries in Asia Pacific.

Blockchain Slovakia

Blockchain Slovakia

Blockchain Slovakia is a non-profit organization that brings together researchers, developers, entrepreneurs, regulators, investors and the public to support blockchain technology in Slovakia.

CICRA

CICRA

CICRA is Sri Lanka's pioneering cyber security training and consultancy provider.

YouWipe

YouWipe

Scandinavian Data Erasure Leader YouWipe is the number one choice of European Ministries, European Central Banks, Swiss Pharmaceuticals and Major Electronics Retail Chains.

Rostelecom Solar

Rostelecom Solar

Rostelecom-Solar is a Cyber Security Company, providing software and managed detection and response (MDR) services to protect critical information from advanced cyber threats.

Sydeco

Sydeco

Sydeco offer a complete range of products that secure computer and industrial networks, servers, programs and data against any type of computer attack.

Prelude

Prelude

Prelude offer the first autonomous platform built to attack, defend and train critical assets through continuous red-teaming.

NetCentrics

NetCentrics

NetCentrics leverages an innovative, agile, ‘what’s-next’ approach to our customers’ IT and cyber challenges.

Cyber Industrial Networks

Cyber Industrial Networks

Cyber Industrial Networks objective is to service the needs of industry in achieving reliable, robust and secure infrastructure that supports productivity.

Core42

Core42

Core42 provides a full-spectrum of AI enablement solutions covering cloud, data, cybersecurity and digital services designed for customer success.