A three-year Eastern European cyber-espionage campaign against US and European energy companies granted attackers access to industrial control system networks that could be used to sabotage and disrupt energy supplies across the US, Japan, and Europe, security researchers say.
The attack group has earned the name "Energetic Bear" for its apparent Russian connection and focus on energy companies, according to an analysis by Crowdstrike, a cyber-security company in Irvine, Calif. The attack began in 2011, and the specialized malware has impacted 1,000 companies in 84 countries, the company says.
Whoever is behind the attacks, they have the hallmarks of being state-sponsored – including echoes of Stuxnet, the world’s first known cyber-weapon, which was deployed by the US and Israel to sabotage Iran’s nuclear fuel production facilities at Natanz four years ago, several cyber-security researchers told the Monitor.
Beyond its breadth, stealth and sophistication, what is most unusual is the industrial control system network software targeted by the “Bear,” they say. The intent was not simply to compromise these networks, but to control them.
Details about the spy campaign began to dribble out last week. That’s when F-Secure, a Finnish cyber-security company, startled the industrial controls system security community with its conclusion that the attacker had used OPC – a type of translator software widely used in industrial networks – to intercept critical details of its victims' systems.
First, the attackers crept onto the websites of three key industrial control system (ICS) software vendors in Europe. From there, they inserted a nasty piece of malware that has been dubbed Havex (for an inscrutable word in the malicious software code) deep into otherwise legitimate software downloads on the websites.
This is called a “watering-hole” attack, with targets coming to get software they need and unwittingly leaving with the malware.
As of this week, one of the three vendors had already seen 250 downloads of the compromised software, reported cyber-security company Symantec on June 30. The second had the malicious software for download on its site for six weeks last June. The third had Havex on its site for 10 days in April.
Most victims were in the US, Spain, France, Italy, Germany, Turkey, and Poland, Symantec said. As early as 2011, other versions of Havex were disseminated by phishing attack, in which members of target organizations are fooled into downloading the malware through fraudulent e-mails.
Havex is a Remote Access Trojan (RAT), meaning it creates a backdoor that allows the attacker to control the computer it lands on. Perhaps more important, it also targets OPC data, gathering details about connected devices and sending them back to the attackers. This would allow the cyber-spies to hoover up data about the machines inside a company’s Supervisory Control and Data Acquisition (SCADA) – the heavy duty software used to open and close valves and control multiple facility sites over long distances.
“This indicates that the attackers are not just interested in compromising the networks of companies they are interested in, but are also motivated in having control of the ICS/SCADA systems in those organizations,” F-Secure reports.
Symantec agreed with Crowdstrike and F-Secure that the focus of the attacks was to gain access and control of industrial networks. (Though it has dubbed the attack group "Dragonfly.")
“The privileges gained by infecting victims with access to industrial system networks were equivalent to getting access to the industrial equipment themselves,” writes Vikram Thakur, Symantec security response manager, in an e-mail. “While data espionage is one such purpose, such attacks gave the Dragonfly group the capability to mount industrial sabotage if they chose to do so.”
Federal experts concur that the threat is serious. The Department of Homeland Security has posted alerts on the attack, and researchers with its Industrial Control Systems – Cyber Emergency Response Team are reportedly analyzing Havex, which was encrypted to avoid detection and interpretation.
But its overall thrust was clear.
“It allows attackers to gather the necessary information on connected ICS devices to select appropriate payloads and perform a successful follow-on attack,” writes Michael Assante, an industrial controls systems expert on the energy sector, in an e-mail.
The Havex attack is serious because it looks a lot like a nation-state preparing the battlefield for cyber-conflict, other experts say.
“Governments and other groups are preparing, deploying, and maintaining communications with ICS cyber-weapons on potential future targets,” writes Dale Peterson, a former National Security Agency expert, now president of Digital Bond, a Florida industrial cyber-security company, in an e-mail. “This is this is what I would do if I worked for a government and was tasked with being able to take out a critical infrastructure when the order comes down.”