The Department of Justice unsealed two indictments last week charging four defendants, all Russian nationals working for the Russian government, with “attempting, supporting and conducting computer intrusions that…targeted the global energy sector between 2012 and 2018.” The hacking campaigns were directed at hundreds of companies and organizations in 135 countries.
One of the indictments, United States v. Pavel Aleksandrovich Akulov, et al. (August 2021), details a campaign carried out by three officers of Russia’s Federal Security Service (FSB) and their co-conspirators to compromise the computers of “hundreds of entities related to the energy sector worldwide,” the DOJ said.
The “Center 16” operational unit – also known in the wider cybersecurity community by various names including “Dragonfly,” “Berzerk Bear,” “Energetic Bear,” and “Crouching Yeti” – is at the center of the supply chain attacks, the DOJ said.
Center 16 seeks to advance “the Russian government’s efforts to maintain surreptitious, unauthorized and persistent access to the computer networks of companies and organizations in the international energy sector,” the DOJ said.
Supply chain attacks have been around for years as the DOJ’s August 26, 2021 indictment shows. Three Russian computer hackers, who were officers in Center 16, carried out energy sector attacks between 2012 and 2014 in phase one of the campaign.
What the supply chain hackers did
In this phase, referred to as “Dragonfly” or “Havex,” the conspirators launched a supply chain attack that compromised the computer networks of ICS (Industrial Control Systems) and SCADA (Supervisory Control and Data Acquisition) system manufacturers and software providers. The hackers then hid the malware inside legitimate software updates. As a result, customers unwittingly downloaded Havex-infected updates. Hackers then used the malware to create backdoors into infected systems and scan victims’ networks for additional ICS/SCADA devices, the indictment said.
By using spear phishing and watering hole attacks as well as other tactics, the conspirators installed malware on more than 17,000 unique devices in the United States and abroad, including ICS/SCADA controllers used by power and energy companies, the DOJ said.
In the second phase (2014-2017), referred to as “Dragonfly 2.0,” the conspirators focused on specific energy sector organizations and individuals who worked with ICS/SCADA systems, according to the indictment. Those entities included 3,300 users at more than 500 U.S. and international companies and entities and U.S. government agencies such as the Nuclear Regulatory Commission.
The spearphishing attacks in some instances succeeded – though those attacks did not involve computers directly connected to ICS/SCADA equipment, the DOJ said.
“In some cases, the spearphishing attacks were successful, including in the compromise of the business network…of the Wolf Creek Nuclear Operating Corporation (Wolf Creek) in Burlington, Kansas, which operates a nuclear power plant. Moreover, after establishing an illegal foothold in a particular network, the conspirators typically used that foothold to penetrate further into the network by obtaining access to other computers and networks at the victim entity.”
--Four Russian Government Employees Charged in Two Historical Hacking Campaigns Targeting Critical Infrastructure Worldwide, Department of Justice, March 24, 2022
During the Dragonfly 2.0 phase, the conspirators also conducted a watering hole attack that compromised servers hosting websites commonly visited by ICS/SCADA system engineers through publicly known vulnerabilities in content management software. “When the engineers browsed to a compromised website, the conspirators’ hidden scripts deployed malware designed to capture login credentials onto their computers,” the DOJ said.
The Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) has already released numerous Technical Alerts about Russia’s recent malicious cyber activities and the campaigns discussed in the indictments.
Businesses can protect themselves against threat actors like the above by implementing a robust machine identity management program. Solutions, such as Venafi CodeSign Protect, can help organizations protect the code signing machine identities which are being used to protect their software across the extended enterprise. As part of the Trust Protection Platform, CodeSign Protect powers enterprise solutions that give you the visibility, intelligence and automation to protect your software infrastructure.
If you wish to learn more, reach out to one of our experts. They will be glad to answer all your questions.