Meet the Energetic Bear
By Shiri Licht
Recently, Symantec reported that Russian hackers are after western oil and gas companies. According to the coverage, the attackers are targeting energy grid operators, major electricity generation firms, petroleum pipeline operators, and energy industry industrial equipment providers located in the US, Spain, France, Italy, Germany, Turkey, Poland and more. The Energetic Bear, also known as Dragonfly, is a suspected attack by a group of Russian hackers who have been in operation since at least 2011 and have mainly targeted the energy sector and related industries. We’ve talked in great length about why attackers tend to target Industrial Control Systems (ICS) used in critical infrastructure and while these organizations understand that they are targets, it’s difficult to protect themselves.
Our research team at CyberArk Labs has analyzed how the Energetic Bear attackers operated. Like other breaches of its kind they were also looking to use the privileged escalation pathway to make themselves defacto “insiders” on a network. Using our privileged escalation model we’ve outlined the attack below. The privileged escalation cycle comprises three stages: gaining access credentials, retrieving the credentials and use of these credentials to reach their goals:
The Energetic Bear in the Privilege Escalation Cycle:
Initial Breach and Access Point:
As we’ve seen in many other publicized breaches, the Energetic Bear infiltrates networks through known means, using both phishing and watering hole attacks. In this case, the group also employed an interesting method – they compromised a number of ICS software providers and infected their software with malware. When the ICS software was updated during normal operations, connected machines got infected with the malware. This was only the beginning.
Retrieval of Credentials:
Next, the attackers went for the most coveted asset in an attack – privileged accounts or credentials. To do this they used two main tools with credential-stealing and remote access capabilities. A Remote Access Tool (RAT) is malware that enables the attacker to connect and interact with the infected machine. RATs often have additional capabilities and in this case these included various means to steal credentials. The two tools in this attack were:
- BD Oldrea, also known as Havex – the BD (back door) is a “light” tool, with minimum capabilities. Its main use is to maintain the presence of the attackers in the network and allow installation of more complex malware on the infected machine. A recent finding regarding the Havex malware shows that this tool actively scans OPC servers that control devices in critical infrastructure networks.
- Trojan Karagany – the Karagany runs modules, including those that collect credentials and take screenshots.
Usage of Credentials:
When the attack was discovered, it seems the attackers were setting up the infrastructure for further attack. The tools used made it possible for the attackers to steal credentials, and gather system information, including lists of files, programs installed, roots of available drives, data from the computer’s Outlook address book and VPN configuration files. The stolen credentials would enable the attackers to deepen their penetration, impersonate legitimate insiders and employ privileged accounts to entrench themselves in the network.
In our next post, we’ll discuss mitigation techniques.