Vulnerabilities / Threats // Advanced Threats
6/30/2014
04:30 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Cyberspying Campaign Comes With Sabotage Option

New research from Symantec spots US and Western European energy interests in the bull's eye, but the campaign could encompass more than just utilities.

A well-heeled and aggressive cyber espionage operation out of Eastern Europe is targeting mainly US and other Western energy grid operators, electricity generation firms, and petroleum pipeline operators by planting Trojan-rigged software updates on the websites of the victims' industrial control system (ICS) software vendors.

The attacks on energy industry vendors came to light last week when F-Secure revealed it had spotted the attacks targeting European energy firms. They are the handiwork of a nation-state backed hacking group called DragonFly, a.k.a. Energetic Bear, according to new research on the attacks published today by Symantec. Spain (27%) and the US (24%) were the nations with the most active infections via the attack campaign, followed by France (9%), Italy, Germany, Turkey, Poland, Romania, Greece, and Serbia.

Kevin Haley, director of Symantec Security Response, says the attackers are out of Eastern Europe and have in their arsenal malware that could be used to sabotage or disrupt the operations of their victims. "We have not seen any signs of sabotage." However, "the potential for that is clearly there."

Symantec spotted the group shifting more of its focus on to energy firms as of March, with half the targets in energy and 30% in energy control systems, followed by file hosting services and "unidentified" targets.

But Sean Sullivan, a security adviser at F-Secure, says the attacks -- which he confirms are out of Russia -- are not just about stealing information from or disrupting energy grid operators. "From what I've seen, it looks to me like they want a broad range of targets. The espionage going on here seems to be a wide net for any sort of infrastructure that might give the ability to get your way politically… That fits in with what I know of Russian tactics."

Commercial manufacturing operations are in the bull's eye, as well, he says, especially ones that supply the attackers' potential military adversaries.

[F-Secure has unearthed a new attack against industrial control systems that goes after European targets, using rare infection vectors. Read As Stuxnet Anniversary Approaches, New SCADA Attack Is Discovered.]

Neither F-Secure nor Symantec would name names, but at least three software vendors' websites were hacked, and their software update links were implanted with the so-called Havex or Oldrea backdoor Trojan, a custom remote access Trojan that fingerprints computers and other systems in a victim's network, including specific server information. ICS-CERT reports in its advisory on these attacks that the Havex malware can trigger intermittent denial-of-service attacks on ICS applications.

According to Symantec, some victim organizations downloaded the malware when updating their ICS software, giving the attackers a foothold into their networks as well as a means to sabotage their operations on those systems. Havex/Oldrea gathers system information, lists of files and programs on the infected machine, and available drives, as well as Outlook address book and VPN configuration information.

Most of the command and control servers are hosted on hijacked content management systems, and the attackers also sometimes employ the Karagany Trojan, which is available in the cybercrime underground market. "Karagany is capable of uploading stolen data, downloading new files, and running executable files on an infected computer," Symantec said in a blog post today. "It is also capable of running additional plugins, such as tools for collecting passwords, taking screenshots, and cataloging documents on infected computers."

The DragonFly/Energetic Bear gang has been in action at least since 2011 and originally focused its efforts on US and Canadian defense and aviation companies, according to Symantec. The traditional approach to attack was spearphishing and later watering hole attacks where it infected websites its targets would most likely visit. Targeting their software vendors was yet another attack vector.

This isn't the first time attackers have used their targets' software vendors as a vector of infection. "We've seen the Hidden Lynx group do similar" things, Haley said. Hidden Lynx was behind the attack on Bit9; attackers stole one of the security vendor's digital code-signing certificates and used it to sign malware in attacks against some of its customers.

"The attackers are collecting logins, passwords… we saw them stealing from Outlook," as well, Haley said.

(Source: Symantec)
(Source: Symantec)

F-Secure's Sullivan said his team has witnessed several connections to the attackers' command and control servers from Tor anonymized nodes. They also saw the attackers using the "Fing" application, which scans and takes inventory of a network. "We think the folks behind this are collecting as much as possible… and seeing what might be useful in soft power deployment."

He worries that the conclusions have been pointing too quickly to an energy sector attack only. "This is a very broad-based" campaign to cripple adversaries, including via manufacturers that supply their armies with food and other crucial items.

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
7/3/2014 | 8:39:54 AM
Re: Actions
Thanks! I am always interested to hear about what is done with the data after it is stolen. Some choose to remain silent while others choose to exploit. Reasons tend to vary as to why.
Kelly Jackson Higgins
50%
50%
Kelly Jackson Higgins,
User Rank: Strategist
7/1/2014 | 8:03:17 AM
Re: Actions
No details on what if any damage was done intel-wise, but there weren't any cases of known sabotage that Symantec and F-Secure knew of.
RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
6/30/2014 | 6:07:48 PM
Actions
I know data has been stolen and software has been hacked on critical infrasture but has there been any word on what is being done with this data? As in, have the attackers acted on the information they have stolen or the functionality in which they have acquired in a detrimental manner? Or did Symantec and F-Secure not comment to that point?
Register for Dark Reading Newsletters
Partner Perspectives
What's This?
In a digital world inundated with advanced security threats, Intel Security seeks to transform how we live and work to keep our information secure. Through hardware and software development, Intel Security delivers robust solutions that integrate security into every layer of every digital device. In combining the security expertise of McAfee with the innovation, performance, and trust of Intel, this vision becomes a reality.

As we rely on technology to enhance our everyday and business life, we must too consider the security of the intellectual property and confidential data that is housed on these devices. As we increase the number of devices we use, we increase the number of gateways and opportunity for security threats. Intel Security takes the “security connected” approach to ensure that every device is secure, and that all security solutions are seamlessly integrated.
Featured Writers
White Papers
Cartoon
Current Issue
Dark Reading's October Tech Digest
Fast data analysis can stymie attacks and strengthen enterprise security. Does your team have the data smarts?
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-3304
Published: 2014-10-30
Directory traversal vulnerability in Dell EqualLogic PS4000 with firmware 6.0 allows remote attackers to read arbitrary files via a .. (dot dot) in the default URI.

CVE-2013-7409
Published: 2014-10-30
Buffer overflow in ALLPlayer 5.6.2 through 5.8.1 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a long string in a .m3u (playlist) file.

CVE-2014-3446
Published: 2014-10-30
SQL injection vulnerability in wcm/system/pages/admin/getnode.aspx in BSS Continuity CMS 4.2.22640.0 allows remote attackers to execute arbitrary SQL commands via the nodeid parameter.

CVE-2014-3584
Published: 2014-10-30
The SamlHeaderInHandler in Apache CXF before 2.6.11, 2.7.x before 2.7.8, and 3.0.x before 3.0.1 allows remote attackers to cause a denial of service (infinite loop) via a crafted SAML token in the authorization header of a request to a JAX-RS service.

CVE-2014-3623
Published: 2014-10-30
Apache WSS4J before 1.6.17 and 2.x before 2.0.2, as used in Apache CXF 2.7.x before 2.7.13 and 3.0.x before 3.0.2, when using TransportBinding, does properly enforce the SAML SubjectConfirmation method security semantics, which allows remote attackers to conduct spoofing attacks via unspecified vect...

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Follow Dark Reading editors into the field as they talk with noted experts from the security world.