Cyber Espionage: Understanding Energetic Bear

22 October 2014 (Last Updated October 22nd, 2014 18:30)

Earlier this year, a cyber attack carried out by a group called Energetic Bear successfully infiltrated the computers and systems of more than 1,000 organisations operating in the global energy sector. Having successfully gained access to sensitive data and information and taken hold of the power to disrupt energy supplies, the attack has highlighted the risks posed by security breaches. So how did it succeed and what can be done to stop it from happening again?

Cyber Espionage: Understanding Energetic Bear

Energetic bear cyber attack

You can have the most sophisticated front door in the world with a reinforced steel frame, ten-piece lock, blood flow measurement system and coded key that is capable of withstanding explosions and high-grade cutting equipment, butall of that technology and security is rendered meaningless if you leave the backdoor open.

In essence, this is the lesson that was learnt after the recent swathe of cyber attackson critical energy infrastructure across the world by a cyber terrorist group most widely referred to as Energetic Bear. The attack, which was detected by the US Department of Homeland Security and reported by cyber security firm Symantec in a blog post in June, targeted a number of organisations in the US and Europe operating in the energy sector, and succeeded in gaining access to critical data, including passwords, confidential documents, and had the potential to disrupt energy supplies.

Referring to the group as Dragonfly, Symantec explained that the security of energy grid operators, industrial equipment providers, electricity generation firms and petroleum pipeline operators from countries, such as the US, France, Spain and Germany, had been compromised. It stated that the group was "well resourced" and that it was most likely operating in Eastern Europe, though it stopped short of suggesting that it was backed by the Russian State, which other firms later claimed.

Sophisticated tools and multiple methods of attack

To carry out the attack, Symantec explained, the group used two separate malware tools. The first tool, called Oldrea or Energetic Bear RAT, was custom-built malware used to gather data and files and to map the drives and servers accessible by targeted computers.It was also used to collect e-mail address books.

The second tool, called Trojan.Karagny, was a piece of blackmarket software that was modified for the purposes of the attack and enabled the group to upload stolen data, download new files and run executable files. Symantec reported that Oldrea had infected almost all of the targeted computers while Trojan.Karagny was found on about 5% of machines - the reason for greater use of the first tool remains unknown.



Nato’s new Energy Security Centre of Excellence hopes to find solutions to combat the increasing concern over cyber, pirate and terrorist attacks.


In order to successfully infect the target computers, the group adopted three separate approaches. Initially, it launched an e-mail campaign that selectively targeted executives and persons of interest within the energy sector. The attack e-mails, which were titled either 'The account' or 'Settlement of delivery problem', contained a malicious PDF attachment that, when opened, would infect the computer with the malware.

The group followed up with a 'watering hole' attack, where malicious links were placed on legitimate websites frequently visited by people working in the energy sector. Once clicked, the links would divert the users to a seemingly legitimate, but in fact malicious, site and instigate a download of the malware to the machine.

The third, and most technically sophisticated form of attack, saw the group actually compromise software packages available for download from legitimate providers' websites, with one of the infected packages remaining available for download for a period of six weeks. All three of the companies successfully compromised sold software into the energy sector.

Potential to pull the plug on targeted countries' power

Overall, the group was able to gain access to computers and systems at more than 1,000 organisations of critical importance within the energy sector. It gained access to huge amounts of sensitive information, both in terms of commercial and security value, and was effectively able to spy on the operations of the companies. In its note on the attack, Symantec explained that, had it wanted to, the group would have been able to cause "damage or disruption to energy supplies in the affected countries".

The fact that the threat was detected before any such disruptions were caused would appear to be a positive thing. However, the fact that such a disruption was possible shows that even though the security around energy control systems is sophisticated, it is not impenetrable.

"It is humans, rather than the systems themselves, which prove to be the point of greatest vulnerability."

According to Will Rockall, a director in the cyber security practice at KPMG, the attack is unlikely to be the end of it. He said: "It seems inevitable that this type of threat will rise. Just because these are specialised systems that need a high degree of skill to attack, does not mean well-organised groups are not going to invest the effort in disrupting such critical resources as power generation or transmission. The prize from their point of view is high enough to justify them spending a significant amount of time and money to develop cyber weapons like this."

What did the hackers achieve?

Althoughthe attack had no tangible impact, such as the disruption to energy supplies, it sent shockwaves through the energy industry. Having gained access to the inner sanctums of more than 1,000 companies in the sector, the group could have compiled a vast cache of sensitive data covering everything from market sensitive financial data to secret security protocols. In the Edward Snowden and Wikileaks era, the potential for irreversible damage to be done simply through the release of data is all too clear, so the full impact may yet be felt.

More profoundly, the attack highlighted the weaknesses that exist within the sector's IT infrastructure. Access to internal computers and servers can be gained through a seemingly standard e-mail, while malware can be spread across the sector by corrupting legitimate and widely used software packets. Irrespective of the intentions of Energetic Bear, if other parties were to succeed in another attack, the sector could suffer significantly.

What can be done?

From a different perspective though, the attack could be seen as a blessing, showing the sector where its weaknesses are and offering it the opportunity to ensure that such an attack is not repeated. According to Chema Alonso, CEO of Eleven Paths, the energy sector must take a leaf out of the Energetic Bear book and try to break through its own systems.



The European Commission has given the UK Government the go ahead.


He said: "Penetration testing is a vital part of a security strategy. There is no room for ego in network and cyber security, so don't assume your systems are secure. The constantly evolving landscape means that if you do, you'll probably be hacked first. You need to find the vulnerabilities before someone else does and exploits them."

In a paper on how companies should respond to Energetic Bear and the threat of similar attacks occurring in the future, SecurityMatters noted that cyber security vendors, such as Symantec, were quick to update their solutions to counter the known threats from the group.

However, it stressed the need for companies to compound the level of protection offered by traditional solutions, which respond to threats once they are identified, with a non-signature based approach. It saidthat it is "vital that along with traditional cybersecurity solutions enterprises deploy a non-signature based network monitoring solution like SilentDefense ICS, which does not rely on the knowledge of a threat to detect it and report it".

Energetic bear showed just how many holes there are in the sector's security; now the sector must show that it can cover them up.

Follow Adam Leach on Google+

Energy link