What is Energetic Bear and Dragonfly?
In a recent whitepaper released on June 30 by Symantec, they report a new on-going, sophisticated cyber espionage campaign targeting the Western Energy sector. This campaign targets energy grid operators, major electricity generation firms, petroleum pipeline operators and energy Industrial Control Systems (ICS) equipment manufacturers located in the United States, Spain, France, Italy, Germany, Turkey, and Poland. The group of hackers launching this campaign have dubbed themselves as “Energetic Bear” and “Dragonfly”. It is assumed by some that Energetic Bear is state-sponsored by Russia, but this is still an allegation. If these allegations are correct, it would be the first report of Russia cyber espionage against U.S. and European energy companies.
Energetic Bear was able to compromise a number of ICSs in use by these energy companies. They were able to utilize spam email campaigns and watering hole attacks to infect the target organizations as well. They then infected these systems with a remote-access Trojan. Once infected, this allowed Energetic Bear the means to launch sabotage operations against the infected ICSs.
Energetic Bear used two main pieces of malware in their attacks: Backdoor.Oldrea and Trojan.Karagany
Both of these pieces of malware are the remote access type, which allows the attackers access to the infected device. Symantec discovered that the devices compromised were infected with Oldrea in most cases, and only found Karagany installed in a small number of cases.
The Oldrea backdoor seems to be customized malware, more than likely written by the group themselves. Once installed, Oldrea gathers system information, lists of files, programs installed, Outlook Address Book information, VPN configurations, and available drives for the infected device. This information is saved to an encrypted file, and sent to an attacker-controlled remote Command & Control (C&C) server. The attackers can then view the information obtained from this attack.
The Karagany Trojan is capable of uploading stolen data, downloading new files, and running executables on the infected device.
Luckily, Symantec has detections in place to protect customers running their most up-to-date software from the malware used below:
As we can see from the information above, the Energetic Bear group is a team of highly-skilled hackers who are able to think strategically. Could this be the 2014 version of Stuxnet?