March 29, 2022

Energy Sector Targeted by Russian Cyber Actors

Industry: Energy | Level: Tactical | Source: Justice.Gov

Efforts from Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the Department of Energy (DOE) shares information of Russian-state sponsored hackers conducting various threat campaigns against the energy sector from 2011 to 2018. The responsible threat actor, FSB (also known as Berserk Bear, Energetic Bear, TeamSpy, Dragonfly, Havex, Crouching Yeti, and Koala) initiated the attacks, targeting energy sectors in the United States and internationally. The United States Department of Justice (DOJ) has indicted four Russian nationals, employed by the Russian government, for their involvement in hack campaigns against the global energy sector between 2021 and 2018. One of the primary malware used in the campaign was Havex. The threat actor’s tactics shifted from conducting spear-phishing campaigns in 2013, to compromising third-party entities associated with their target in 2016. A summarized attack chain shared by CISA states, “after obtaining access to the U.S. Energy Sector networks, the actor conducted network discovery, moved laterally, gained persistence, then collected and exfiltrated information pertaining to ICS from the enterprise, and possibly operational technology (OT), environments. Exfiltrated information included: vendor information, reference documents, ICS architecture, and layout diagrams.” Various tactics, techniques and procedures are referenced in the CISA advisory with applicable detections from Anvilogic provided below.

  • Anvilogic Use Cases:
    • Suspicious Email Attachment
    • Document Execution
    • Common Reconnaissance Commands
    • Common Active Directory Commands
    • Potential Web Shell
    • New AutoRun Registry Key
    • Rare remote thread
    • Create/Modify Schtasks
    • RDP Connection
    • RDP Enabled
    • Windows External Remote Login
    • Windows Firewall Disabled
    • Remote Admin Tools
    • Common LSASS Memory Dump Behavior
    • Command Line lsass request
    • Locate Credentials
    • NTDSUtil.exe execution
    • Clear Windows Event Logs
    • Suspicious Registry Key Deleted
    • Native Archive Commands
    • Utility Archive Data