The Energetic Bear APT group has been active since at least 2010 most of the victims of the group are organizations in the energy and industrial sectors.
In March 2018, the Department of Homeland Security and Federal Bureau of Investigation issued a joint technical alert to warn of attacks on US critical infrastructure powered by Russian threat actors. The US-CERT blamed the APT group tracked as Dragonfly, Crouching Yeti, and Energetic Bear.
A week later, the US-CERT updated its alert by providing further info that and officially linking the above APT groups to the Kremlin.
The Alert (TA18-074A) warns of “Russian Government Cyber Activity Targeting Energy and Other Critical Infrastructure Sectors,” it labels the attackers as “Russian government cyber actors.”
“This alert provides information on Russian government actions targeting U.S. Government entities as well as organizations in the energy, nuclear, commercial facilities, water, aviation, and critical manufacturing sectors.” reads the alert.
“It also contains indicators of compromise (IOCs) and technical details on the tactics, techniques, and procedures (TTPs) used by Russian government cyber actors on compromised victim networks.”
The analysis of indicators of compromise (IoCs) shows the Dragonfly threat actor is still very active and its attacks are ongoing.
“DHS and FBI characterize this activity as a multi-stage intrusion campaign by Russian government cyber actors who targeted small commercial facilities’ networks where they staged malware, conducted spear phishing, and gained remote access into energy sector networks.” continues the alert. “After obtaining access, the Russian government cyber actors conducted network reconnaissance, moved laterally, and collected information pertaining to Industrial Control Systems (ICS).”
“The main tactics of the group include sending phishing emails with malicious documents and infecting various servers. The group uses some of the infected servers for auxiliary purposes – to host tools and logs. Others are deliberately infected to use them in waterhole attacks in order to reach the group’s main targets.” reads the report published by Kaspersky.
Most of the compromised servers were used in waterhole attacks, the others were used to host hacking tools or as a repository for data exfiltrated from target machines.
The servers analyzed by Kaspersky were located in several countries, including Russia, Ukraine, UK, Germany, Turkey, Greece, and the United States.
Below the full list of compromised servers:
|Country||Description||Role in the attack|
|Russia||Opposition political website||Waterhole|
|Real estate agency||Auxiliary (collecting user data in the waterhole attack)|
|Developer and integrator of secure automation systems and IS consultant||Waterhole|
|Developers of software and equipment||Auxiliary (collecting user data in the waterhole attack, tool hosting)|
|Investment website||Auxiliary (collecting user data in the waterhole attack)|
|Ukraine||Electric power sector company||Waterhole|
|Germany||Software developer and integrator||Waterhole|
|Unknown||Auxiliary (collecting user data in the waterhole attack)|
|Turkey||Oil and gas sector enterprise||Waterhole|
|Greece||Server of a university||Auxiliary (collecting user data in the waterhole attack)|
|USA||Oil and gas sector enterprise||Waterhole|
|Unknown||Affiliate network site||Auxiliary (collecting user data in the waterhole attack)|
All the servers involved in waterhole attacks were infected following the same pattern, attackers injected a link into a web page or JS file with the following file scheme: file://IP/filename.png.
The injected link is used to request an image on a remote server over the SMB protocol, with this trick attackers are able to extract victims’ user IP, username, domain name, and NTLM hash of the user’s password.
Experts observed the compromised servers were also used to conduct attacks on other resources by using several tools to scan websites and servers located in Russia, Ukraine, and Turkey, with Brazil, Georgia, Kazakhstan, Switzerland, U.S., France, and Vietnam.
“Compromised servers are in some cases used to conduct attacks on other resources. In the process of analyzing infected servers, numerous websites and servers were identified that the attackers had scanned with various tools, such as nmap, dirsearch, sqlmap, etc. (tool descriptions are provided below).” continues the report.
“The sites and servers on this list do not seem to have anything in common. Even though the scanned servers do not necessarily look like potential final victims, it is likely that the attackers scanned different resources to find a server that could be used to establish a foothold for hosting the attackers’ tools and, subsequently, to develop the attack.
Part of the sites scanned may have been of interest to the attackers as candidates for hosting waterhole resources.”
The analysis of the server used by the Energetic Bear APT revealed that many of them were used to host open-source tools, including Nmap (network analysis), Dirsearch (brute forcing directories and files on websites), Sqlmap (SQL injection exploitation), Sublist3r (enumerates website subdomains), Wpscan (WordPress vulnerability scanner), Impacket, SMBTrap, Commix (vulnerability search and command injection), Subbrute (subdomain enumeration), and PHPMailer (mail sending).
On one server Kaspersky has found a Python script named ftpChecker.py that was used for checking FTP hosts from an incoming list.
The server also contains a series of malicious php files in different directories in the nginx folder and in a working directory created by attackers on an infected web server. Experts also discovered a modified sshd with a preinstalled backdoor that is similar to a tool publicly available on GitHub that can be compiled on any OS.
“As a result of replacing the original sshd file with a modified one on the infected server, an attacker can use a ‘master password’ to get authorized on the remote server, while leaving minimal traces (compared to an ordinary user connecting via ssh).” continues Kaspersky.
“In addition, the modified sshd logs all legitimate ssh connections (this does not apply to the connection that uses the ‘master password’), including connection times, account names and passwords. The log is encrypted and is located at /var/tmp/.pipe.sock.”
According to Kaspersky, the use of publicly available tools makes hard the attribution of the infrastructure to a specific threat actor.
“The diversity of victims may indicate the diversity of the attackers’ interests. It can be assumed with some degree of certainty that the group operates in the interests of or takes orders from customers that are external to it, performing initial data collection, the theft of authentication data and gaining persistence on resources that are suitable for the attack’s further development,” Kaspersky concludes.