Modern field guide to security and privacy

An anti-US Stuxnet? Startling attack against industrial complex revealed.

A cyber-espionage campaign targeting industrial control system networks bears all the hallmarks of sabotage – and has an apparent Russia connection, one group says.

Jordan Silverman/Norwich University/AP
Norwich University student Jacob Evans works on learning offensive and defensive cyberwarfare tactics in Northfield, Vt., March 5, 2012. A six-week seminar teaches students to build and defend computer networks.

A three-year Eastern European cyber-espionage campaign against US and European energy companies granted attackers access to industrial control system networks that could be used to sabotage and disrupt energy supplies across the US, Japan, and Europe, security researchers say.

The attack group has earned the name "Energetic Bear" for its apparent Russian connection and focus on energy companies, according to an analysis by Crowdstrike, a cyber-security company in Irvine, Calif. The attack began in 2011, and the specialized malware has impacted 1,000 companies in 84 countries, the company says.

Whoever is behind the attacks, they have the hallmarks of being state-sponsored – including echoes of Stuxnet, the world’s first known cyber-weapon, which was deployed by the US and Israel to sabotage Iran’s nuclear fuel production facilities at Natanz four years ago, several cyber-security researchers told the Monitor.

Beyond its breadth, stealth and sophistication, what is most unusual is the industrial control system network software targeted by the “Bear,” they say. The intent was not simply to compromise these networks, but to control them.

Details about the spy campaign began to dribble out last week. That’s when F-Secure, a Finnish cyber-security company, startled the industrial controls system security community with its conclusion that the attacker had used OPC – a type of translator software widely used in industrial networks – to intercept critical details of its victims' systems.

First, the attackers crept onto the websites of three key industrial control system (ICS) software vendors in Europe. From there, they inserted a nasty piece of malware that has been dubbed Havex (for an inscrutable word in the malicious software code) deep into otherwise legitimate software downloads on the websites.

This is called a “watering-hole” attack, with targets coming to get software they need and unwittingly leaving with the malware.

As of this week, one of the three vendors had already seen 250 downloads of the compromised software, reported cyber-security company Symantec on June 30. The second had the malicious software for download on its site for six weeks last June. The third had Havex on its site for 10 days in April.

Most victims were in the US, Spain, France, Italy, Germany, Turkey, and Poland, Symantec said. As early as 2011, other versions of Havex were disseminated by phishing attack, in which members of target organizations are fooled into downloading the malware through fraudulent e-mails.

Havex is a Remote Access Trojan (RAT), meaning it creates a backdoor that allows the attacker to control the computer it lands on. Perhaps more important, it also targets OPC data, gathering details about connected devices and sending them back to the attackers. This would allow the cyber-spies to hoover up data about the machines inside a company’s Supervisory Control and Data Acquisition (SCADA) – the heavy duty software used to open and close valves and control multiple facility sites over long distances.

“This indicates that the attackers are not just interested in compromising the networks of companies they are interested in, but are also motivated in having control of the ICS/SCADA systems in those organizations,” F-Secure reports.

Symantec agreed with Crowdstrike and F-Secure that the focus of the attacks was to gain access and control of industrial networks. (Though it has dubbed the attack group "Dragonfly.")

“The privileges gained by infecting victims with access to industrial system networks were equivalent to getting access to the industrial equipment themselves,” writes Vikram Thakur, Symantec security response manager, in an e-mail. “While data espionage is one such purpose, such attacks gave the Dragonfly group the capability to mount industrial sabotage if they chose to do so.”

Federal experts concur that the threat is serious. The Department of Homeland Security has posted alerts on the attack, and researchers with its Industrial Control Systems – Cyber Emergency Response Team are reportedly analyzing Havex, which was encrypted to avoid detection and interpretation.

But its overall thrust was clear.

“It allows attackers to gather the necessary information on connected ICS devices to select appropriate payloads and perform a successful follow-on attack,” writes Michael Assante, an industrial controls systems expert on the energy sector, in an e-mail.

The Havex attack is serious because it looks a lot like a nation-state preparing the battlefield for cyber-conflict, other experts say.

“Governments and other groups are preparing, deploying, and maintaining communications with ICS cyber-weapons on potential future targets,” writes Dale Peterson, a former National Security Agency expert, now president of Digital Bond, a Florida industrial cyber-security company, in an e-mail. “This is this is what I would do if I worked for a government and was tasked with being able to take out a critical infrastructure when the order comes down.”

You've read  of  free articles. Subscribe to continue.

Dear Reader,

About a year ago, I happened upon this statement about the Monitor in the Harvard Business Review – under the charming heading of “do things that don’t interest you”:

“Many things that end up” being meaningful, writes social scientist Joseph Grenny, “have come from conference workshops, articles, or online videos that began as a chore and ended with an insight. My work in Kenya, for example, was heavily influenced by a Christian Science Monitor article I had forced myself to read 10 years earlier. Sometimes, we call things ‘boring’ simply because they lie outside the box we are currently in.”

If you were to come up with a punchline to a joke about the Monitor, that would probably be it. We’re seen as being global, fair, insightful, and perhaps a bit too earnest. We’re the bran muffin of journalism.

But you know what? We change lives. And I’m going to argue that we change lives precisely because we force open that too-small box that most human beings think they live in.

The Monitor is a peculiar little publication that’s hard for the world to figure out. We’re run by a church, but we’re not only for church members and we’re not about converting people. We’re known as being fair even as the world becomes as polarized as at any time since the newspaper’s founding in 1908.

We have a mission beyond circulation, we want to bridge divides. We’re about kicking down the door of thought everywhere and saying, “You are bigger and more capable than you realize. And we can prove it.”

If you’re looking for bran muffin journalism, you can subscribe to the Monitor for $15. You’ll get the Monitor Weekly magazine, the Monitor Daily email, and unlimited access to