Who
are they?
Energetic
Bear is an Advanced Persistent Threat (APT) group whose targets lie mostly
within the energy sector. In addition to targeting the energy sector, they have
also targeted organizations in other verticals such as Aviation and Defense. The
countries targeted by this group were US, Canada, Spain, France, Italy,
Germany, Turkey and Poland. Their attacks are carried out via methods such as
spear phishing, watering hole, remote access tools and trojanized software (Symantec, 2014). While some
researchers state the group operates in Eastern Europe (Symantec, 2014), others have been more confident and specific,
suggesting that this threat actor is directly connected to the Russian Government.
It is believed that the objective of the Russian Government is to promote
Russia’s national economic interest along with helping its industries to
maintain competiveness in key areas of national importance (Finkle, 2014).
The
Big Picture Implication
Groups
like Energetic Bear poses a clear and present threat to our Critical
Infrastructures and hence our National Security. By successfully penetrating organizations
within our Energy Sector this group may be in a position to control the amount
of heat we get in our homes during the winter, blow up a nuclear energy
facility or even flood a hydro dam. While the primary impact may be physical
destruction, the secondary and other consequential damages can be devastating.
For any of the above, there can be significant loss of life, significant
economic loss and or mass hysteria. Communications systems can be affected thus
affecting emergency services personnel from being able to successfully perform
their duties. The Energy Sector is basically the engine that drives the other
15 Critical Infrastructure Sectors and any threat that reduces its
effectiveness and or the quality of its output, immediately affects the input
to the 15 other critical infrastructure sectors. A 30-minute power outage is
said to cost business around US$15,709. For shorter blackouts which occurs
several times a year in the United States (US) it is reported than this results
has an annual economic loss of between US$104 and US$164 billion (agcs.allianz.com, n.d.). The significant of these numbers show that for
any situation of which the real owners and operators of these infrastructures
do not have full control of their systems, the outcomes of someone malicious
gaining control cannot be over stated.
What
should be done about this group?
The
ultimate objective when dealing with groups like Energetic Bear would be to
work with the Governments and owners of Critical Infrastructures along with the
rest of the security community, combining efforts towards dismantling the group
or the creation of initiatives which may reduce its effectiveness. However, one
should be aware that it can be very difficult to attribute attacks in cyber
space (Schneier, 2015). As can be seen above, Symantec suggested that
the group operates out of Eastern Europe (giving Symantec a broad territory)
while CrowdStrike was more specific claiming it was the Russian government.
While dismantling the
group would be very nice to achieve, the reality is we need to make greater effort
at securing our systems and critical infrastructures. The vulnerabilities exploited by Energetic
Bear (CVE-2013-2465, CVE-2013-1347, and CVE-2012-1723 in Java 6, Java 7, IE 7
and IE 8) (kasperskycontenthub.com)were already known
and should have been patched. If for
business reasons these devices were or are unable to be patched, all efforts
should be made to ensure the relevant technical and or administrative controls
are in place to mitigate any attacks destined for these hosts. However, since
Energetic Bear exploits Internet Explorer (IE) and Java, these being known
client side applications, I will conclude that business reasons may not have
been the primary reason why these devices were on patched.
Some of the technical
controls which may work in these situations are reducing and or eliminating the
use of administrative credentials, implementation of Intrusion Prevention
Systems (IPS) which should block this communication from being successful and
or Security Information Event Management (SIEM) solutions which can help to
store logs, correlate data and alert on potential threats if they were
successful. While these solutions may not prevent these attacks, it does help
an organization to understand the scale of the attack if and or when it is has
been successfully targeted and compromise, while also reducing its attack
surface.
Conclusion
Attribution
in cyber space is very difficult, this makes justified retaliation extremely
hard. Similarly defense is harder than offence, thus we need to ensure we are
recording as much relevant information as possible and where possible. From a
big picture perspective, these groups pose a clear and present threat to
Critical Infrastructures and hence National Security. Containing APT Threat
Actors like Energetic Bear may be difficult, thus protecting our infrastructure
and systems through either prevention or detection solutions should be
paramount.
References
(n.d.). Retrieved from kasperskycontenthub.com:
https://kasperskycontenthub.com/securelist/files/2014/07/EB-YetiJuly2014-Public.pdf
(n.d.). Retrieved from agcs.allianz.com:
http://www.agcs.allianz.com/insights/expert-risk-articles/energy-risks/
Finkle, J. (2014, January 22). Retrieved from
reuters.com:
http://www.reuters.com/article/2014/01/22/us-russia-cyberespionage-idUSBREA0L07Q20140122
Schneier, B. (2015, January 8). Retrieved from
schneier.com:
https://www.schneier.com/blog/archives/2015/01/attack_attribut.html
Symantec. (2014, June 30). Retrieved from
symantec.com:
http://www.symantec.com/connect/blogs/emerging-threat-dragonfly-energetic-bear-apt-group