CISA
Control device security
Critical infrastructure
Identity and Access Management (IAM)
Industrial Cyber Attacks
Malware, Phishing & Ransomware
News
Perimeter security
Risk & Compliance
Threat Landscape
Utilities: Energy & Power, Water, Waste
Vulnerabilities

Multiple intrusions conducted by Russian hackers against US, international energy sector organizations

March 25, 2022
Multiple intrusions conducted by Russian hackers against US, international energy sector organizations

The U.S. security agencies and the Department of Energy (DOE) released a joint cybersecurity advisory that provides information on multiple intrusion campaigns conducted by state-sponsored Russian cybercriminals from 2011 to 2018 and targeted the U.S. and international energy sector organizations. In addition, the agencies are sharing this information to highlight historical tactics, techniques, and procedures (TTPs) used by adversaries to target these installations. 

The Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI), along with the DOE, “assess that state-sponsored Russian cyber operations continue to pose a threat to U.S. Energy Sector networks,” according to the advisory released on Thursday. “CISA, the FBI, and DOE urge the Energy Sector and other critical infrastructure organizations to apply the recommendations listed in the Mitigations section of this advisory and Appendix A to reduce the risk of compromise,” it added.

The advisory covers the TTPs used in the now unsealed indictments of three Russian Federal Security Service (FSB) officers and a Russian Federation Central Scientific Research Institute of Chemistry and Mechanics (TsNIIKhM) employee in cyber operations against the global energy sector. Specifically, the advisory maps TTPs used in the global energy sector campaign and the compromise of the Middle East-based energy sector organization to the MITRE ATT&CK for Enterprise and ATT&CK for ICS frameworks.

From at least 2011 through 2018, the Russian FSB, also known as Berserk Bear, Energetic Bear, TeamSpy, Dragonfly, Havex, Crouching Yeti, and Koala, conducted an intrusion campaign against international and U.S. energy sector organizations, the advisory revealed. The hacker conducted a multi-stage campaign in which they gained remote access to and deployed malware designed to collect industrial control system (ICS)-related information on compromised energy sector networks, and exfiltrated enterprise and ICS data.

The joint advisory said that beginning in 2013 and continuing through 2014, the hacker leveraged Havex malware on energy sector organizations and networks. “The threat actor gained access to these victim networks via spearphishing emails, redirects to compromised websites, and malicious versions of legitimate software updates on multiple ICS vendor websites. The new software updates contained installations of Havex malware, which infected systems of users who downloaded the compromised updates,” it added.

Havex is a remote access Trojan (RAT) that communicates with a command and control (C2) server. The advisory said that Havex allowed the hacker to install additional malware and extract data, including system information, lists of files and installed programs, e-mail address books, and virtual private network (VPN) configuration files. In addition, the Havex payload can cause common OPC platforms to crash, which could cause a denial-of-service condition on applications that rely on OPC communications. 

Open Platform Communications (OPC) is a series of standards and specifications typically used in industrial telecommunication. 

From 2016, the threat hacker began widely targeting the U.S. energy sector networks. “The actor conducted these attacks in two stages: first targeting third-party commercial organizations (such as vendors, integrators, and suppliers) and then targeting energy sector organizations. The threat actor used the compromised third-party infrastructure to conduct spearphishing, watering hole, and supply chain attacks to harvest energy sector credentials and to pivot to Energy Sector enterprise networks,” the advisory added. 

After obtaining access to the U.S. energy sector networks, the hacker conducted network discovery, moved laterally, gained persistence, then collected and exfiltrated information of ICS from the enterprise and possibly operational technology (OT) environments. Exfiltrated information included vendor information, reference documents, ICS architecture, and layout diagrams, the advisory added.

In 2017, Russian cybercriminals with ties to Russian TsNIIKhM gained access to and manipulated a foreign oil refinery’s safety devices. These hackers used TRITON malware on the ICS controllers, which resulted in the refinery shutting down for several days. 

TRITON malware affects Triconex Tricon PLCs by modifying in-memory firmware to add additional programming, the advisory said. The extra functionality allows an attacker to read/modify memory contents and execute custom code, disabling the safety system. 

TRITON malware has multiple components, including a custom Python script, four Python modules, and malicious shellcode that contains an injector and a payload, it added.

The advisory comes on the same day as the U.S. Department of Justice (DoJ) unsealed indictments of three Russian FSB officers and a TsNIIKhM employee for their involvement in the following intrusion campaigns against the U.S. and international oil refineries, nuclear facilities, and energy companies.

A June 2021 indictment returned in the District of Columbia, United States v. Evgeny Viktorovich Gladkikh, concerns the alleged efforts of an employee of a Russian Ministry of Defense research institute and his co-conspirators to damage critical infrastructure outside the U.S., causing two separate emergency shutdowns at a foreign targeted facility. The conspiracy subsequently attempted to hack the computers of a U.S. company that managed similar critical infrastructure entities in the U.S.

In another August 2021 indictment returned in the District of Kansas, United States v. Pavel Aleksandrovich Akulov, et al., details allegations about a separate, two-phased campaign undertaken by three officers of Russia’s FSB and their co-conspirators to target and compromise the computers of hundreds of entities related to the energy sector worldwide. Access to such systems would have provided the Russian government the ability to, among other things, disrupt and damage such computer systems at a future time of its choosing.

“Russian state-sponsored hackers pose a serious and persistent threat to critical infrastructure both in the United States and around the world,” Lisa O. Monaco, DoJ’s deputy attorney general, said in a media statement. “Although the criminal charges unsealed today reflect past activity, they make crystal clear the urgent ongoing need for American businesses to harden their defenses and remain vigilant.

CISA, FBI, and DOE advised energy sector organizations and others in the critical infrastructure sector to carry out network segmentation, consider using virtual local area networks (VLANs) for additional network segmentation. The advisory also suggested implementing perimeter security between network segments to limit the ability of cyber threat actors to move laterally. 

Among other requirements, it asked organizations to update all software, test all patches in out-of-band testing environments before implementation into production environments, and implement application allow listing on human-machine interfaces and engineering workstations.

Commenting on the developments, Robert M Lee, industrial cybersecurity company Dragos’ CEO and co-founder, wrote in a Twitter thread, “I’m glad CISA is providing a companion document w/ the DOJ indictment of the Russian govt operators who targeted ICS. Lots of great info but please don’t follow their mitigation advice for ICS. It’s not practical & in some cases dangerous,” he added.

The current advisory also reminded the industry of the nation’s Department of State’s (DOS) Rewards for Justice program in case of any information on state-sponsored Russian cyber operations targeting U.S. critical infrastructure. “You may be eligible for a reward of up to $10 million, which DOS is offering for information leading to the identification or location of any person who, while acting under the direction or control of a foreign government, participates in malicious cyber activity against U.S. critical infrastructure in violation of the Computer Fraud and Abuse Act (CFAA),” it added. 

The joint advisory comes simultaneously with the FBI’s reported warning to the nation’s energy sector about network scanning activity stemming from multiple Russia-based IP addresses. The activity is believed to be associated with cyber hackers ‘who previously conducted destructive cyber activity against foreign critical infrastructure.’

Earlier this week, U.S. President Joe Biden announced that critical infrastructure owners and operators must improve domestic cybersecurity and bolster national resilience. The President’s advisory comes from ‘evolving intelligence’ that the Russian government is exploring options for potential cyberattacks on the nation’s critical infrastructure. CISA also issued last month its ‘Shields Up’ alert that notifies every organization in the country of potential risk from cyber threats that can disrupt essential services and potentially impact public safety. 

Anna Ribeiro
Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.

A complimentary guide to the who`s who in industrial cybersecurity tech & solutions

Free Download

Related

Cisco Talos details ArcaneDoor campaign found targeting perimeter network devices across critical infrastructure
Cisco Talos details ArcaneDoor campaign found targeting perimeter network devices across critical infrastructure
Forescout report warns of growing security risks to critical infrastructure as OT/ICS exposed data escalates
Forescout report warns of growing security risks to critical infrastructure as OT/ICS exposed data escalates
ASIS Foundation reports on impact of autonomous vehicles on security and technology
ASIS Foundation reports on impact of autonomous vehicles on security and technology
European Commission makes €112 million investment in AI, quantum research under Horizon Europe program
European Commission makes €112 million investment in AI, quantum research under Horizon Europe program
MITRE unveils ATT&CK v15 with upgraded detections, analytic format, cross-domain adversary insights
MITRE unveils ATT&CK v15 with upgraded detections, analytic format, cross-domain adversary insights
RMC
Risk Mitigation Consulting acquires Securicon, boosting cybersecurity and mission assurance offerings
Hackers target Tipton Municipal Utilities wastewater treatment plant, prompting federal investigation
Hackers target Tipton Municipal Utilities wastewater treatment plant, prompting federal investigation
New CGCYBER report warns of cybersecurity risks in marine environment due to network-connected OT systems
New CGCYBER report warns of cybersecurity risks in marine environment due to network-connected OT systems
Ukrainian CERT details malicious plan by Sandworm group to disrupt critical infrastructure facilities
Ukrainian CERT details malicious plan by Sandworm group to disrupt critical infrastructure facilities
DC3, DCSA collaborate to launch vulnerability disclosure program for defense industrial base
DC3, DCSA collaborate to launch vulnerability disclosure program for defense industrial base