30 September 2014

State-Sponsored Spyware Systems and the Growing Industrial Espionage Threat

Calum Jeffray
September 26, 2014

Of Energetic Bears and Dragonflies: Espionage and the Energy Sector

While the UK was seemingly left relatively unscathed by the ‘Energetic Bear’ and ‘Dragonfly’ espionage attacks, the UK needs to remain vigilant of the cyber threat posed to its own energy sector

In a white paper published in July, Symantec reported details of an ongoing cyber-espionage campaign targeting energy companies in the US and Western Europe. The group behind the espionage has been designated ‘Dragonfly’ by Symantec, an Internet security firm, though it is also widely referred to as ‘Energetic Bear’ after a 2013 threat report published by Crowdstrike. The group have also been on the radar of Finnish Security firm F-Secure who called the mysterious outfit ‘Havex’.

Thought to have been operating since at least 2011, the group initially targeted the US and Canadian defence and aerospace sectors. But last year they began to focus on penetrating industrial control systems in order to access the data of companies in the energy sector. These attacks have reportedly affected over 1,000 organisations across eighty-four countries. A blog post by Kaspersky suggests that a ‘wider range of enterprises’ in other industries have also been affected.

This appears to be the first time a specific sector has been targeted through online espionage in such a systemic way. But while Spain, France and Germany have been heavily affected, the UK does not feature in the either Symantec’s or Crowdstrike’s list of the main countries targeted by the group.

Energetic Bear gained access to company systems through two types of malware (one of which was custom-made), which provided the attackers with remote access to and control of compromised computers. The malware was embedded into victim’s computers via three means. Initially, the group sent phishing e-mails to personnel within energy companies, with malware contained in attachments. It then also began carrying out ‘watering hole’ attacks, whereby multiple third-party websites likely to be visited by those working in the energy sector were compromised, which would then redirect visitors to websites hosting an exploit kit which then surreptitiously downloaded the malware. Finally, the group managed to compromise and insert malware into the software of three industrial control system (ICS) equipment manufacturers.
Well Resourced, State Sponsored?

Parallels have been drawn with the Stuxnet attack in 2010, which also targeted ICS systems. Unlike the Stuxnet malware, however, the main motive in this case appears to be espionage rather than sabotage – though sabotage may remain a possibility. Like Stuxnet, the complexity and longevity of the campaign points to state involvement. Given the high degree of technical capability and its ability to penetrate multiple third-party websites, Symantec concludes that it ‘bears the hallmarks of a state-sponsored operation’.

The evidence that the group are Russian is compelling, though largely circumstantial. Symantec found that malware activity tended to be concentrated in a nine-hour period which corresponds to working in the UTC +4 time zone (apart from Oman and the UAE, Western Russia occupies the majority of this time zone). In addition, one of the pieces of malware used is based on Karagany, a remote-access trojan (RAT) that is known to be sold in the Russia underground economy. None of this, of course, excludes the possibility of a group based elsewhere having acquired the software and operating during Russian working hours to divert suspicion.

Russian state interest in the sector would not be surprising, given that the energy sector currently accounts for around 30 per cent of Russia’s GDP. Indeed, if the espionage campaign is Russian in origin, it may also explain the lack of UK incidents, since the UK does not significantly feature on Russia’s map of major energy importers. While Russia is Europe’s biggest supplier of gas, providing around a third of the continent’s needs, the UK imports far less Russian gas than its European neighbours, instead mainly relying on domestic reserves or imports from Norwegian pipelines.

That said, recent events point to increased Russian interest in the UK energy market, which may make Energetic Bear more of a concern to the UK. In June, the Secretary-General of NATO claimed that Russia was actively backing British and continental environmental groups campaigning against fracking, in order to maintain European dependence on gas imports from Russia. This was echoed by a NATO official who told the Financial Times of their concern that ‘Russia could try to obstruct possible projects on shale gas exploration in Europe in order to maintain Europe’s reliance on Russian gas’.

Another important development was the three-year deal signed in 2012 between the UK’s biggest utility company, Centrica, and the Russian state-controlled energy firm Gazprom, which means that, from October this year, the UK will begin to import gas from Russia under a formal contract for the first time.

Despite these events, it seems the UK’s energy sector has been left alone – at least for the time being. While this espionage campaign therefore does not appear to pose an imminent threat to the UK, it is clear that the industry needs to be conscious of the threat posed by online espionage more generally. While the establishment of CPNI and CERT-UK will help protect the nation’s critical national infrastructure, the revelations this week have shown that online espionage is a significant threat to the energy sector. The Energetic Bear case should also be seen as a reminder that more often than not it is humans, rather than the systems themselves, which prove to be the point of greatest vulnerability. Industry and government, therefore, need to prioritise improving the public’s cyber-hygiene in order to keep the energetic bears at bay.

Calum JeffrayResearch Analyst in the National Security and Resilience programme at RUSI

No comments: