No ordinary Energetic Bear boo-boo

Energetic Bear offers VARs a lesson applicable to all enterprise security, says Tobie Kottman

Symantec has reported that Russian hackers have been targeting western oil and gas companies with an attack called Energetic Bear, also known as Dragonfly, since at least 2011.

According to a Symantec report, the attackers are targeting energy grid operators, major electricity generation firms, petroleum pipeline operators, and energy industry industrial equipment providers located in the US, Spain, France, Italy, Germany, Turkey, Poland, and other countries.

These hackers attack industrial control systems (ICSes) used in critical infrastructure because of the power they wield and disruption they can cause. As in other cyberattacks on organisations, attackers tend to target privileged accounts, as these are the keys to the kingdom, which can access sensitive information and grant control.

Such attacks show the channel new opportunities. They demonstrate where organisations and enterprises need to work on their cyber protection. Partners have an important job beyond supplying the products and services that can plug these security gaps; they can explain why potential vulnerabilities need to be addressed.

Most critically, in this case, what is demonstrated is the lack of protection for powerfully privileged accounts.

Our research team has analysed the Energetic Bear attack. Like other breaches of its kind, they were looking to use a privilege escalation pathway to make themselves de facto network insiders.

There are three stages: gaining access credentials, retrieving the credentials, and using these credentials to achieve selected goals.

Energetic Bear uses known strategies to infiltrate networks, such as phishing and watering-hole attacks. In this case, the group also compromised a number of ICS software providers and infected their software with malware.

When the ICS software was updated during normal operations, connected machines became infected with this malware. But this was only the beginning.

Next, the attackers went for the privileged accounts or credentials, using two main malware tools with credential-stealing and remote access capabilities.

Remote access tools often have additional capabilities; in this case, these included various means to steal credentials.

• BD Oldrea, also known as Havex – the back door – BD – is a light tool with minimum capabilities. Its main role is to maintain the presence of the attackers in the network and allow installation of more complex malware on the infected machine. It was also found recently that Havex malware actively scans servers that control devices in critical infrastructure networks.

• Trojan Karagany – the Karagany runs modules which may be able to collect credentials and take screenshots.

When the attack was discovered, it seems the attackers were setting up the infrastructure for further attack. The tools used made it possible for the attackers to steal credentials, and gather system information, including lists of files, programs installed, roots of available drives, data from the computer's Outlook address book and VPN configuration files.

The stolen credentials would enable the attackers to penetrate more deeply into the network and impersonate legitimate insiders.

Organisations and enterprises need better practices and policies in place to mitigate such attacks, making it critical for the channel to take notice. Certain techniques could have been used – either in isolation or as part of a comprehensive privileged account security strategy – to limit the extent of the attack.

Implementing a jump server would prevent credentials residing on end-point machines and therefore prevent the attackers hijacking the credentials and gaining direct access.

Monitoring privileged account activity would provide an opportunity to learn about how users with privileges behave on the network – bestowing a chance to detect anomalies that may indicate malicious activity.

Automated password management may eliminate the need to enter passwords, and the chance to view them or record them when connecting to systems in the network. This could stop attackers retrieving passwords from screenshots or key-loggers.

A credentials management system that can generate random, complex and unique passwords and replace the passwords according to organisational policy may prevent brute-force access.

Critical infrastructure will always be a top target. Energy companies and such organisations need to improve their ICS security. Enterprises too must learn from this and the channel can play a vital role.

Tobie Kottman is channel manager for Northern Europe, the UK and Ireland at CyberArk