ENERGETIC BEAR
Since 2011, Energetic Bear, an Eastern European threat actor, has targeted the Defense Industry, Energy Industry, and ICS equipment manufacturers, with highly technical prolonged attacks that are suggestive of a state sponsor. Energetic Bear’s exploit kits features specialized malware, likely developed or adapted by the attackers, that was compiled during business hours (Monday – Friday, 9am – 6pm) UTC+4, which corresponds to working hours in Russia or Eastern Europe. Most security firms conclude that Energetic Bear is a Russian state-sponsored group because the group targets nation states who are politically opposed to Russia. Further, the malware primarily compromises petroleum and energy systems that compete with Russia’s energy complex in the economical arena.
Based on its choice of targets and the malware deployed, Energetic Bear seems primarily interested in gathering intelligence on its victims or their country of origin and establishing persistent access to compromised systems. The sophisticated exploit kits could easily be used to sabotage targets’ operations to cause damage or disruption in critical infrastructure sectors that depend on ICS and SCADA systems. So far, while the malware has been positioned ideally to sabotage ICS and SCADA systems, investigations by Symantec and other leading firms witness more uses of the exploit kits for espionage purposes than the sabotage purposes. The threat actors may prefer not to utilize this capability or sabotage campaigns may occur, appearing as system failures that are not investigated as cyber-attacks. More likely, Energetic Bear may be pre-positioning its malware in compromised systems to grant the greatest utility while allowing for every attack vector. Given its selection of targets and its exploit kits, both of which are detailed below, Energetic Bear is uniquely positioned to assist in a combination of Digital and Physical warfare for military or political purposes. Notably, Russia conducted such a campaign in its 2008 conflict with Georgia.
When Energetic Bear was discovered in 2011, the group targeted aviation and defense companies in the United States and Canada; however, in 2013, energy firms in the United States and Europe became the primary targets of Energetic Bear. In particular, the exploit kit targets the systems of ICS equipment manufacturers and petroleum pipeline operators. Energy grid operators, electricity generation facilities, and industrial equipment providers are also susceptible to compromise. By ingeniously targeting the smaller, less protected ICS manufacturing companies and antiquated SCADA systems, Energetic Bear is able to circumnavigate the massive state-sponsored cyber-security systems that typically protect critical infrastructure systems.
The exploit kits mimics the Stuxnet worm (which monitored and sabotaged the Iranian Nuclear program in 2011) in potential impact. If the sabotage potential of the malware were realized, then Energetic Bear could disrupt and seriously damage energy supply and regulation systems in countries such as: the United States, Spain, France, Germany, Turkey, and Poland. Consider the tragedy that a malicious actor could wrought with the ability to remotely destroy oilrigs, energy generation facilities, or electrical grids. The smallest city-wide power outage has the potential to result in many deaths related to loss in electricity needed for in-home medical care, heating, and other technologies that assist in citizens’ daily lives. Even if an attack is controlled well enough or mitigated soon enough to prevent serious physical damage to the facility, imagine the economic ramifications that the actor could inflict upon a nation state through repeated targeted attacks on its energy systems. The gas price hikes of the mid 2000’s might seem a minor inconvenience in comparison to the damage caused by a persistent sabotage campaign.
From February to June 2013, Energetic Bear launched a spam campaign against the United States and European energy sectors. Executives and senior employees in seven organizations received emails, sent from a Gmail account, containing a malicious pdf. If the pdf was opened, then the malware spread to the network. The emails were made to look as if they came from a known source (such as the victims’ boss) and organizations were targeted with anywhere between 1 and 84 emails. In a more ambitious spear phishing campaign, emails containing remote access Trojans (RATs) were sent to personnel in three ICS equipment manufacturers who dominated their markets. The malware injected malicious code into the ICS software update bundles that were later posted for download from the manufacturer’s website. The targeted equipment which would receive the update are used in a number of sectors, including energy. The Trojan managed to compromise the bundles of two companies and infect the programmable logic controllers of devices produced by those manufacturers, before the infection was discovered.
Later, watering hole attacks were added to the campaign. In these attacks, websites often visited by personnel of the target organization were compromised (usually with an injected iframe) and set to redirect victims to a site that delivered an exploit kit that installed the malware on the victim’s PC. The development of additional attack vector(s) and the resources to compromise third party sites as “stepping stones” to desired targets suggests that the group is state sponsored. In either attack, the malware was configured to search victims’ systems for ICS software and updates and to trojanize the software so that the adversaries could compromise guarded ICS systems the next time the software was downloaded or they were updated by trusted personnel.
The group employs two exploit kits (LightsOut and Hello) and two malware (Trojan.Karagany and Backdoor.Oldrea). The exploit kits are used to initially compromise the system and install the malware. The malware is used for espionage, persistent access, or sabotage. LightsOut exploits vulnerabilities in Java or in Microsoft Internet Explorer to deploy the Karagany or Oldrea malware onto a user’s system. In September 2013, the Hello exploit kit replaced the LightsOut kit. The Hello kit is combined with watering hole attacks to redirect victims to a landing page, where a JavaScript fingerprints their system to determine details such as operating system, browser, and installed plugins. The victim is then redirected to the site that contains the exploit most likely to achieve the adversaries’ goals.
Trojan.Karagany and Backdoor.Oldrea are remote access Trojans (RATs) that are used to install additional tools or malware, to search the system for valuable data, and to exfiltrate data from the system. In an attack, the group uses either Karagany or Oldrea, but never both, because the malware serve the same purpose. The Karagany malware is only used in 5% of attacks. Karagany is a widely available exploit for purchase or source code recompilation on the internet underground because its code was leaked in 2010. Karagany features tools for indexing documents, taking screenshots of the system, and collecting passwords. At the adversary’s instruction, it can also download new tools or files, run plugins or executables, or exfiltrate data to a designated C&C server. Oldrea, also widely known as the Havex malware, appears to be used in most attacks and it appears to have been written by or written for the attackers. Once installed, Oldrea profiles the system by collecting system information, harvesting outlook address book information, noting VPN configuration files, and indexing files, programs, and the root of available drives. The data is compiled into a temporary file, encrypted, and sent to an adversary C&C server. Oldrea features a control panel that the adversaries can use to authenticate to a C&C server and download a compressed copy of each specific victim’s data. The servers hijacked by Energetic Bear to serve as C&C servers may have been compromised using the same exploit of content management systems.
