A few weeks ago, news agencies shared reports on the Energetic Bear attack. This cyber-attack, or rather virus, was reportedly introduced by a Russian hacking group and it targeted oil, gas, power, and energy investment companies. The threatening malware had the ability to shut down major power grids, oil pipelines, gas, and energy traders. Analysts speculate that the attack motive was to gain competitive advantage in state-sponsored espionage against global oil and energy producers.
This attack started by hacking into the websites of software companies that provide industrial control software. The attackers poisoned software updates with the Energetic Bear Virus (Havex RAT is the technical name) and used a watering hole tactic. This tactic maximized the attack’s impact because it infected numerous victims by drawing them to one destination – a somewhat trusted place on the Internet (one for software code upgrades).
This could have been prevented with more earnest protection layers for their software distribution layers. Previously, we’ve talked about the dangers of embedded systems and we all must be much more vigilant in watching the behavior of our devices. Great security tools have behavior elements AND review all traffic, not just the popular or known ports.
For these energy companies, a properly placed Network Behavior Anomaly engine in the SCADA (Industrial Control) Network could have potentially picked up the call that went out to command and control servers. While, other behaviors on the SCADA networks were mapping activities, the virus selected the other hosts on the network. Those packets could have shown as anomalous and a Network Behavior Anomaly engine would have seen the host mapping activity and the call outs to the pop up domains.
It’s been relatively quiet since Energetic Bear was last reported. Does this mean the attacks are over? Probably not. An initial attack can always be a dry-run for bigger attacks. Just recently, the Industrial Control Systems Cyber Emergency Response Team, or ICS-CERT published a number of mitigation techniques for organizations to consider. From keeping your patches levels up to date to “whitelisting” legitimate executable directories. They also requested any available evidence from an attack should be preserved for purposes of forensic analysis and law enforcement.
As this type of offense is a great defense, one can never be “too prepared” to protect themselves from a possible attack. Especially if it’s against vital infrastructure that could potentially be shut down by a few keystrokes.