A string of watering hole attacks targeting oil and energy companies dating back to May could be linked to similar attacks against the U.S. Department of Labor website.
Researchers at Cisco discovered the compromised domains of 10 oil and energy companies worldwide, including hydroelectric plants, natural gas distributors, industrial suppliers to the energy sector and investment firms serving those markets. Six of the 10 sites shared the same Web design firm and three of the six are owned by the same parent company. Cisco researcher Emmanuel Tacheau speculates that credentials at the Web design firm were stolen, leading to the compromises.
The 10 sites were exploited and serving iframe redirects to other sites hosting espionage malware, possibly the Poison Ivy remote access Trojan.
“The assumption is, with the target companies being in the energy sector, they were attempting to infect machines within that sector and exfiltrate intellectual property,” Tacheau said.
The iframes load exploit code and malware from three compromised domains—keeleux[.]com, kenzhebek[.], and nahoonservices[.]com. The exploits target primarily a Java vulnerability, CVE-2012-1723, or a flaw in Internet Explorer 8, CVE-2013-1347. A Firefox exploit was also found in these attacks, CVE-2013-1690.
Cisco said the malware used in the attacks is a Trojan that captures system configurations, as well as clipboard and keyboard data. It also establishes an encrypted connection to a command and control server hosted in Greece awaiting commands. All of the infected sites were notified and most had been cleaned up, Cisco said.
“Detection for the malware was extremely low, so that’s always a concern,” Tacheau said. “Fortunately, exploit detection for the exploits used is pretty good, so hopefully people will have been protected.”
Watering hole attacks are effective because they target websites of interest to the intended victim. In the past, government policy resource websites and mobile developer forums have been compromised in other watering hole attacks.
At the time of the Department of Labor attacks, also in May, the IE 8 exploit was a zero-day and had infected the DOL’s Site Exposure Matrices (SEM) website with javascript redirecting victims to the Poison Ivy RAT. The SEM website is a repository of data on toxic substances found at facilities run by the Department of Energy. At the time, security experts speculated the attackers were targeting DOE employees working on nuclear weapons programs.
The IE vulnerability was patched in May, but not before those attacks spread to nine other sites including the US Agency for International Development (USAID) and research firms in Asia.
Given the timing of the two attacks and the use of the same Internet Explorer exploit, the Department of Labor attacks could be tied to the energy and oil attacks as well.
“That’s the million dollar question,” Tacheau said. “There certainly are a lot of commonalities. If you combine the timing, the shared exploit and the sector targeted, it does seem at least suspiciously in favor of a semblance of attackers.”
The oil and energy attacks, however, were found coincidentally by Cisco researchers looking at system logs and noticing the commonalities in the sectors targeted.
“It boils down to a matter of volume,” Tacheau said. “These were low volume-high stakes attacks; these sites don’t attract a large number of visitors. The DOL attacks were different. When you have a high profile site like that, those are always going to be spotted off the bat.”