HAVEX, Dragonfly, Energetic Bear
This threat, believed to be based in Eastern Europe, has systematically targeted sensitive industries for years, with a focus on Energy and Engineering in particular – including suppliers and users of Industrial Control Systems (ICS) software.
We have been investigating intrusions from this actor since 2011. While earlier campaigns have attempted to collect commercial information relating to oil and gas pricing, there are indications that the group may have had a shift in focus recently. Recent attack code was found which targets ICS software – the sort of technology which runs our utilities, transport, and manufacturing systems.
As was recently revealed by Finnish anti-virus company F-Secure (http://www.f-secure.com/weblog/archives/00002718.html), the malicious code is designed to extract information using ICS specific protocols, and would likely allow the attacker to tamper with these systems as well. Although not seen in the reported cases here, external interference with sensitive control systems could clearly have catastrophic consequences.
Recent intrusions by this group have exploited the trust companies have with their supply chain – specifically, the attackers have been compromising legitimate software installers provided by multiple ICS vendors.
Trojanised legitimate software is a particularly challenging threat vector for organisations to defend against – such software would likely make its way through existing firewalls and control processes without in-depth inspection. As sophisticated attackers expand their repertoire of intrusion techniques we are seeing more exploitation of trusted relationships, from watering-hole attacks, supplier portals, VPN connections, and trojanised updates.
So how can organisations defend against such advanced and covert attacks?
Countering these threats requires a multi-pronged approach. We recommend organisations integrate industrial systems as a core part of their cyber security lifecycle by:
- Assessing the risk jointly across industrial and information systems, and feeding in contextual and technical intelligence into the process
- Enable connectivity, but keep strong segregation between systems by using gateways that whitelist protocols and messages passing between segments
- Monitor across information and industrial systems; and integrate threat intelligence and analytic-based detection techniques that are not reliant on pre-existing trusted relationships to assure early detection
Ensure you understand how to respond to attacks on critical systems when defences are bypassed by advanced adversaries – have a clear plan in place and run regular exercises.
In terms of immediate action, we recommend that organisations search their estate for indicators that have been published relating to this threat actor. If you believe your security has been breached it is important to consider the current state of the attack before taking any action – if damage is already underway taking no action may let the problem escalate however if the attacker is in the early stages of an attack, action may alert them and result in speeding up of the attack.
Download our appendix which your network defence team can use the indicators to discover potential malicious activity.
If you are concerned you may have been a victim of a cyber attack contact our Cyber Incident Response Team on:
UK: 0808 168 6647
Australia: 1800 825 411
International: +44 (0)1483 817491