Guide to Russian Infrastructure Hacking

Since reports first surfaced that hackers targeted more than a dozen American energy utilities, including a Kansas nuclear power plant, the cybersecurity community has dug into the surrounding evidence to determine the culprits.

Without knowing the perpetrators, the campaign lends itself to a broad range of possibilities: a profit-seeking cyber-criminal scheme, espionage, or the first steps of hacker-induced blackouts like the ones that have twice afflicted Ukraine in the last two years.

Recently US officials solved at least part of that mystery, revealing to the Washington Post that the hackers behind the utility attacks worked for the Russian government. But that attribution raises a new question: Which of the Kremlin's hacker’s groups attempted the power grid intrusions?

Russia, after all, is perhaps the only nation in the world with multiple known hacker teams that have targeted energy utilities for years. Each has its own techniques, broader focus, and motivation, and deciphering which group is behind the attacks could help determine the intended endgame of this latest infrastructure hacking spree, too.

As the cyber-security world's Kremlinologists seek those answers, here's what we know about the groups that may have pulled it off.

Energetic Bear

The prime candidate among Russia's array of hacker teams is a group of cyber-spies most widely identified as Energetic Bear, but also known by names including DragonFly, Koala, and Iron Liberty. First spotted by the security firm Crowdstrike in 2014, the group initially seemed to indiscriminately hack hundreds of targets in dozens of countries since as early as 2010, using so-called "watering hole" attacks that infected websites and planted a Trojan called Havex on visitors' machines.

But it soon became clear that the hackers had a more specific focus: They also used phishing emails to target vendors of industrial control software, sneaking Havex into customer downloads. Security firm FireEye found in 2014 that the group breached at least four of those industrial control targets, potentially giving the hackers access to everything from power grid systems to manufacturing plants.

The group seemed at least in part focused on broad surveillance of the oil and gas industry, says Adam Meyers, Crowdstrike's vice president of intelligence. Energetic Bear's targets included everything from gas producers to firms that transported liquid gas and oil to energy financing companies. Crowdstrike also found the group's code contained Russian-language artifacts, and that it operated during Moscow business hours.

All of that suggests, Meyers argues, that the Russian government may have used the group to protect its own petrochemical industry and better wield its power as a fuel supplier. "If you threaten to turn off the gas to a country, you want to know how severe that threat is and how to properly leverage it," Meyers says.

But security firms noted that the group's targets included electric utilities, too, and some versions of Energetic Bear's malware had the capacity to scan industrial networks for infrastructure equipment, raising the possibility that it could have not just collected industry intelligence, but performed reconnaissance for future disruptive attacks.

"We think they were after control systems, and we don’t think there was a compelling intelligence reason for that," says John Hultquist, who leads a research team at FireEye. "You’re not doing that to learn the price of gas."

After security firms including Crowdstrike, Symantec, and others released a series of analyses of Energetic Bear's infrastructure in the summer of 2014, the group abruptly disappeared.

Sandworm

Only one Russian hacker group has actually caused real-world blackouts: Cybersecurity analysts widely believe the hacker team called Sandworm, also known as Voodoo Bear and Telebots, carried out attacks on Ukrainian electric utilities in 2015 and 2016 that cut off power to hundreds of thousands of people.

Despite that distinction, Sandworm's larger focus doesn't appear to be electric utilities or the energy sector. Instead it has spent the last three years terrorizing Ukraine, the country with which Russia has been at war since it invaded the Crimean Peninsula in 2014.

Aside from its two blackout attacks, the group has since 2015 rampaged through practically every sector of Ukrainian society, destroying hundreds of computers at media companies, deleting or permanently encrypting terabytes of data held by its government agencies, and paralyzing infrastructure including its railway ticketing system.

Cyber-security researchers including those at FireEye and ESET have also noted that the recent NotPetya ransomware epidemic that crippled thousands of networks in Ukraine and around the world matches Sandworm's history of infecting victims with "fake" ransomware that offers no real option to decrypt their files.

But amidst all that chaos, Sandworm has shown a special interest in power grids. FireEye has tied the group to a series of intrusions on American energy utilities discovered in 2014, which were infected with the same Black Energy malware Sandworm would later use in its Ukraine attacks.

FireEye also linked Sandworm with Russia based on Russian-language documents found on one of the group's command-and-control servers, a zero-day vulnerability the group used that had been presented at a Russian hacker conference, and its explicit Ukraine focus.

And security firms ESET and Dragos released an analysis last month of a piece of malware they call "Crash Override" or "Industroyer," a highly sophisticated, adaptable, and automated grid-disrupting piece of code used in Sandworm's 2016 blackout attack on one of the transmission stations of Ukraine's state energy company Ukrenergo.

Palmetto Fusion

The hackers behind the fresh series of attempted intrusions of US energy utilities remain far more mysterious than Energetic Bear or Sandworm. The group has hit energy utilities with "watering hole" and phishing attacks since 2015, with targets as far-flung as Ireland and Turkey in addition to the recently reported American firms, according to FireEye. But despite broad similarities to Energetic Bear, cybersecurity analysts have not yet definitively linked the group to either of the other known Russian grid hacking teams.

Sandworm, in particular, seems like an unlikely match. FireEye's John Hultquist notes that his researchers have tracked both the new group and Sandworm for several overlapping years, but have seen no common techniques or infrastructure in their operations.

And according to the Washington Post, US officials believe Palmetto Fusion to be an operation of Russia's secret services agency known as the FSB. Some researchers believe Sandworm works instead under the auspices of Russia's military intelligence group known as the GRU, due to its focus on Russia's military enemy Ukraine and some early targeting of NATO and military organizations.

Palmetto Fusion doesn't exactly share Energetic Bear's paw-prints, either, despite a New York Times' report tentatively linking the two. While both target the energy sector and use phishing and water hole attacks, Crowdstrike's Meyers says they don't share any of the same actual tools or techniques, hinting that the Fusion operation may be the work of a distinct group. Cisco's Talos research group, for instance, found that the new team used a combination of phishing and a trick using Microsoft's "server message block" protocol to harvest credentials from victims, a technique never seen from Energetic Bear.

But the timing of Energetic Bear's disappearance after its discovery in late 2014 and Palmetto Fusion's initial attacks in 2015 remains suspect. And that timeline may provide one sign that the groups are the same, but with new tools and techniques rebuilt to avoid any obvious connection.

After all, a group of attackers as methodical and prolific as Energetic Bear doesn't simply call it quits after having their cover blown. "These state intelligence agencies don’t give up because of a setback like that," says Tom Finney, a security researcher with the firm SecureWorks, which has also closely tracked Energetic Bear. "We’ve expected them to reappear at some point. This might be it."

Wired:

You Might Also Read:

Hackers Attempt To Penetrate US Nuclear Plants:

Putin Applauds Patriotic Russian Hackers:

Just Who Are Russia's Cyber Warriors?:

 

« The Insider Threat
US Needs To Get Its Data Ready For GDPR »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

MIRACL

MIRACL

MIRACL provides the world’s only single step Multi-Factor Authentication (MFA) which can replace passwords on 100% of mobiles, desktops or even Smart TVs.

LockLizard

LockLizard

Locklizard provides PDF DRM software that protects PDF documents from unauthorized access and misuse. Share and sell documents securely - prevent document leakage, sharing and piracy.

Cyber Security Supplier Directory

Cyber Security Supplier Directory

Our Supplier Directory lists 6,000+ specialist cyber security service providers in 128 countries worldwide. IS YOUR ORGANISATION LISTED?

Jooble

Jooble

Jooble is a job search aggregator operating in 71 countries worldwide. We simplify the job search process by displaying active job ads from major job boards and career sites across the internet.

Perimeter 81 / How to Select the Right ZTNA Solution

Perimeter 81 / How to Select the Right ZTNA Solution

Gartner insights into How to Select the Right ZTNA offering. Download this FREE report for a limited time only.

Tufin

Tufin

Tufin enables organizations to automate their security policy visibility, risk management, provisioning and compliance across their multi-vendor, hybrid environment.

Veracode

Veracode

Veracode delivers the most widely used cloud-based platform for securing web, mobile, legacy and third-party enterprise applications.

NICE Systems

NICE Systems

NICE Systems provide software solutions to ensure compliance, fight financial crime, and safeguard people and assets.

Cybersecurity Advisors Network (CyAN)

Cybersecurity Advisors Network (CyAN)

CyAN provides a not-for-profit platform that helps private and public organisations as well as governments to identify trusted advisors in the area of Cyber Security and Cyber Crime.

Temasoft

Temasoft

TEMASOFT is a software company focused on developing security and infrastructure products.

National Cyber Security Center (NCSC) - Hungary

National Cyber Security Center (NCSC) - Hungary

The National Cyber Security Center was established in 2015 by uniting the GovCERT-Hungary, National Electronic Information Security Authority (NEISA) and the Cyber Defence Management Authority (CDMA).

Cancom

Cancom

CANCOM group is one of the leading providers of IT infrastructure and IT services in Germany and Austria. Solution areas include network security.

Lithuanian National Accreditation Bureau

Lithuanian National Accreditation Bureau

Lithuanian National Accreditation Bureau is the national accreditation body for Lithuania. The directory of members provides details of organisations offering certification services for ISO 27001.

FINX Capital

FINX Capital

FINX strives to solve the cybersecurity issues with its proprietary technolog, FINX SHIELD, by utilizing big data, blockchain combined with artificial intelligence.

SolidRun

SolidRun

SolidRun is a leading provider of computing and network technology designed to streamline the deployment of edge computing infrastructure and support embedded and IoT markets.

Security BSides Cayman Islands

Security BSides Cayman Islands

Security BSides is a non-profit, community-driven event built for and by information security community members. Our aim is to help build an Information Security community in the Cayman Islands.

Unified Solutions

Unified Solutions

Unified Solutions provide a full continuum of cyber security services, compliance, and technology solutions.

BluSapphire

BluSapphire

BluSapphire is an industry-first, purpose-built, cloud-native, Hybrid XDR platform powered by AI and big data analytics.

Lakera

Lakera

Lakera empowers developers and organizations to build GenAI applications without worrying about AI security risks.

Security Risk Advisors (SRA)

Security Risk Advisors (SRA)

Security Risk Advisors deliver cybersecurity services to leading companies in the Financial Services, Healthcare, Pharmaceuticals, Technology and Retail industries.

Aliro Security

Aliro Security

AliroNet is the world’s first entanglement Advanced Secure Network solution.