American gas and oil companies have been targeted by a hacking group with ties to the Russian Federation for close to 18 months, a new research report indicates.
The attackers have leveraged watering hole attacks to infect users inside the critical infrastructure organizations to spread a remote access Trojan known as HAVEX. According to Crowdstrike’s 2013 Threat Report, released this morning, the RAT drops malware on compromised machines that sends system information to a command and control server, as well as credential-harvesting tools that steal passwords from browsers, and backdoors that communicate with the hackers’ infrastructure to drop additional payloads. It also uses RSA public key cryptography to encrypt and authenticate the malware files it drops. Generally attackers use low-grade encryption algorithms, said Adam Myers, vice president of intelligence at Crowdstrike.
“It’s well built. The people who had it built had more capable programmers than we’ve typically seen with the Chinese-based adversary,” said Myers. “That was something that piqued our interest when you see a nice clean piece of code like that. The functionality is something that you would typically expect but the leveraging of the RSA encryption algorithm is a lot more complicated than most of the stuff we see. Implementing public key cryptography is fairly unique for these types of attacks.”
Another noteworthy characteristic of the attacks, Myers said, is the fact that the attackers are querying the BIOS of machines inside these organizations.
“We’re not sure if they’re exploiting BIOS, but they are taking note of what BIOS is installed,” he said. “It’s possible they have some capability.”
Myers said that it’s not out of the realm of possibility for an attacker to copy out a machine’s BIOS and replace it with a custom BIOS. Such activity allows an attacker to maintain persistent presence on a computer, even if a hard drive is replaced, for example.
“And if you wanted to brick the machine, there’s no better way than to overwrite the BIOS,” Myers said.
The attacks are not limited to the U.S., Crowdstrike said; government agencies, manufacturing firms, defense contractors, healthcare and technology companies in Europe, the Middle East and Asia have also been targeted.
Crowdstrike said its data supports nation-state sponsorship of this campaign, given the sophistication of the tools, command and control activity, and the build-times of the malware samples and backdoor communication—all of which coincide with Russian working hours, the report said.
“The level and extent to which oil and gas were targeted was another thing to us that made it seem like it was very focused,” Myers said. “When you see that kind of focus in a targeted attack in terms of victimology, that’s something that gets your attention.”
The group’s use of watering hole attacks is similar to other groups that compromise websites that are a popular resource, for example, to the intended victim. Attackers generally inject JavaScript into a website that redirects victims using a vulnerable browser or version of Java to a website controlled by the hacker where malware is downloaded. A number of espionage campaigns favored this technique as a means of initial compromise.
“If you look back even as far as 2006, you see targeted attackers using a lot of Microsoft Office exploits until they exhausted all the low-hanging vulnerabilities in those products and then moved into Adobe and others,” Myers said. “It was the easiest way in; they’re not spending a lot of time looking for vulnerabilities, just using low-hanging stuff like Java to get around ASLR and stringing exploits together to get in. Anything that makes it easier for attackers…that’s why we’re seeing a lot of strategic web compromises.”