American gas and oil companies have been targeted by a hacking group with ties to the Russian Federation for close to 18 months, a new research report indicates.

The attackers have leveraged watering hole attacks to infect users inside the critical infrastructure organizations to spread a remote access Trojan known as HAVEX. According to Crowdstrike’s 2013 Threat Report, released this morning, the RAT drops malware on compromised machines that sends system information to a command and control server, as well as credential-harvesting tools that steal passwords from browsers, and backdoors that communicate with the hackers’ infrastructure to drop additional payloads. It also uses RSA public key cryptography to encrypt and authenticate the malware files it drops. Generally attackers use low-grade encryption algorithms, said Adam Myers, vice president of intelligence at Crowdstrike.

“It’s well built. The people who had it built had more capable programmers than we’ve typically seen with the Chinese-based adversary,” said Myers. “That was something that piqued our interest when you see a nice clean piece of code like that. The functionality is something that you would typically expect but the leveraging of the RSA encryption algorithm is a lot more complicated than most of the stuff we see. Implementing public key cryptography is fairly unique for these types of attacks.”

Another noteworthy characteristic of the attacks, Myers said, is the fact that the attackers are querying the BIOS of machines inside these organizations.

“We’re not sure if they’re exploiting BIOS, but they are taking note of what BIOS is installed,” he said. “It’s possible they have some capability.”

Myers said that it’s not out of the realm of possibility for an attacker to copy out a machine’s BIOS and replace it with a custom BIOS. Such activity allows an attacker to maintain persistent presence on a computer, even if a hard drive is replaced, for example.

“And if you wanted to brick the machine, there’s no better way than to overwrite the BIOS,” Myers said.

The attacks are not limited to the U.S., Crowdstrike said; government agencies, manufacturing firms, defense contractors, healthcare and technology companies in Europe, the Middle East and Asia have also been targeted.

Crowdstrike said its data supports nation-state sponsorship of this campaign, given the sophistication of the tools, command and control activity, and the build-times of the malware samples and backdoor communication—all of which coincide with Russian working hours, the report said.

“The level and extent to which oil and gas were targeted was another thing to us that made it seem like it was very focused,” Myers said. “When you see that kind of focus in a targeted attack in terms of victimology, that’s something that gets your attention.”

The group’s use of watering hole attacks is similar to other groups that compromise websites that are a popular resource, for example, to the intended victim. Attackers generally inject JavaScript into a website that redirects victims using a vulnerable browser or version of Java to a website controlled by the hacker where malware is downloaded. A number of espionage campaigns favored this technique as a means of initial compromise.

“If you look back even as far as 2006, you see targeted attackers using a lot of Microsoft Office exploits until they exhausted all the low-hanging vulnerabilities in those products and then moved into Adobe and others,” Myers said. “It was the easiest way in; they’re not spending a lot of time looking for vulnerabilities, just using low-hanging stuff like Java to get around ASLR and stringing exploits together to get in. Anything that makes it easier for attackers…that’s why we’re seeing a lot of strategic web compromises.”

Categories: Critical Infrastructure

Comment (1)

  1. Suheil Shahryar
    1

    It is not just US companies that we should be worried about! With the world’s economies getting increasingly inter-dependent, disruptions in part of the world are very likely to have a “butterfly effect” in the opposite part of the world. This effect would be particularly felt in our critical national infrastructures, such as energy, finance, information and trade. Any small, localised and man-made disruption due to some anarchy or violence somewhere is likely to have a severe impact on all of us. What would be the best way to reduce these problems from occurring? Send more spies? Drones? Armies? No! These are not sustainable solutions. The smartest thing to do is to look at the root cause of these anarchies and violence and apply solutions to prevent them from happening. The answer is to support democracy and good governance capable of providing social and public service improvements (education, health, justice, energy, water, waste removal and shelter) to everyone in these countries. It is the lack of these fundamental amenities that lead to anarchy. Surely, some of the profits from our energy and other industries could go towards implementing these preventative measures. All it needs is about 1-2% going to funding these measures.

    Reply

Leave A Comment

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>