Energetic Bear Malware Targets Industrial Energy Operations

Last week, we reported on a new form of malware called Havex, a program which embeds itself into the websites of industrial control systems in order to secretly monitor daily operations on large scale government infrastructure projects.


Photo: Lisa S / Shutterstock

Primarily targeting nuclear facilities and hydroelectric power generation sites, Havex was capable of launching remote trojans into pre-programmed SCADA systems at will, as well as tracking workers from the time they showed up at a plant to the time they clocked out and worked on their computers at home.

By targeting specific members of the machine rather than the internal network itself, Havex was able to bridge the air-gaps which are designed to prevent external threats from penetrating internal networks.

Now a fresh report has been released which suggests Havex was not an isolated scenario, but rather just one of several different pieces of malware that a hacking group known only as ‘Dragonfly’ has been distributing to vital pieces of energy infrastructure in the US, and at least six European countries who have yet to be named in the investigation.

Symantec, who has taken up the reigns this time around on monitoring the malware and following its distribution cycle, say that due to the sophisticated nature of the code and the targets it chooses to attack, it’s likely that Energetic Bear (another Havex variant) was developed by a state-sponsored team of engineers, though they refused to elaborate on who until they were able to gather more specifics.

They did however report that the servers which maintain the command and control networks seem to be most active from the hours of 9am to 6pm in Eastern Europe, which could suggest (but not confirm) that the Russian government has been dipping its toes into the pools of cyberwarfare in response to the reveal of the Stuxnet virus in 2010.

Photo: Symnatec

Photo: Symantec

This theory lines up pretty well, considering Energetic Bear’s age. Researchers claim the malware has been active since sometime in early 2011, which would put just around half a year between itself and the initial reveal of the US’ cooperative effort with Israel to disable and dismantle uranium enrichment centrifuges at a secret base somewhere in Iran.

“This campaign follows in the footsteps of Stuxnet, which was the first known major malware campaign to target ICS systems,” the Symantec report stated. “While Stuxnet was narrowly targeted at the Iranian nuclear program and had sabotage as its primary goal, Dragonfly appears to have a much broader focus with espionage and persistent access as its current objective with sabotage as an optional capability if required.”

Overall the implications of Havex, Energetic Bear, and Dragonfly are unnerving, to say the least. With such a massive gap in security between major energy operations and the companies they depend on to keep their PLC (programming logic controllers) up to date, it’s clear that much of what we thought was secure can be easily subverted through what amounts to little more than basic social engineering tactics that most hackers can master on their first day in class.