Saturday, May 10, 2014
Red Sky Weekly: Energetic Bear, Cyber-burkut
We turn our attention this week to cyber activities originating from Russia.
In September 2013, both CrowdStrike and Cisco published findings of watering-hole attacks believed targeting the energy sector. Crowdstrike named this actor set "Energetic Bear". According to CrowdStrike, "ENERGETIC BEAR is an adversary group with a nexus to the Russian Federation that conducts intelligence collection operations against a variety of global victims with a primary focus on the energy sector."
While apparently focused on the energy sector, other victimized industry sectors were also called out in the CrowdStrike report.
• European government;
• European, U.S., and Asian academia
• European, U.S., and Middle Eastern manufacturing and construction industries
• European defense contractors
• European energy providers
• U.S. healthcare providers
• European IT providers
• European precision machinery tool manufacturers; and
• Research institutes.
This week Wapack Labs released Fusion Report 14-014 on Energetic Bear. State sponsorship of this group is unknown, so the activity is being classified as "APT-like" tactics techniques and procedures (TTPs). Wapack Labs identified and analyzed dozens of new and legacy first-stage (meaning, tools used in the first compromise) and second stage backdoors associated with this activity as well as a portion of compromised infrastructure. As part of our report, we were able to identify new tools and targets, and provide tailored mitigations for the new Energetic Bear TTPs.
The energy sector is known to be widely targeted. Not just in the US, but around the world. And the ability to steal intellectual property from others means less money spent on research and development of new, more efficient means of generating or distributing energy, less money spent on finding new places to drill for oil, and potentially in more harsh scenarios, the ability to divert, disrupt, or destroy the movement of energy. Every business plan, every project plan, and every piece of analysis that's used to derive how investments will be made exist in investment firms. Companies needing money tell investment firm researchers everything --and oil and gas companies are no different. The movement toward targeting investment firms associated with oil and gas should come as no surprise, but the use of new tools targeting them, is indeed believed new.
Cyber-burkut is not new. It's been reported many times in the past. But in this case, Wapack Labs analysts believe the cyber-burkut may be a low level information operation campaign targeting the citizens of the Ukraine. And why not? Cyber is the perfect vehicle to affect the opinions of a LOT of people, and such a simple, grass roots effort can be not only effective, but inexpensive.
Staging for a new round of distributed denial of service (DDOS) activities appears to be taking place. "Cyber-berkut" is a hactivist movement much like others. Protesters are being urged to download an application to their computers. The application then makes their computer part of the network used to launch denial of service attacks against government and corporate websites. The website associated with the activity leverages patriotism in Russia by asking everyday people to take part in a cyber war toward the Ukraine. For several reasons, Wapack Labs also believes (medium confidence) this activity to be state sponsored. "Burkut" for reference is the name for a special police unit inside the Ukraine. The name has now been adopted by pro-Russian police forces in Crimea.
This is a slightly different format than you're used to from me, but I thought it would be good to report 'meat' for a while instead of Stutzman ranting about information sharing, the need for intelligence, and what's happening in the world.
And as mentioned before, Wapack Labs is the analytic engine behind Red Sky Alliance. Crowdsourcing, coupled with a dedicated team of folks in the lab are there so when you ask a question, and someone else doesn't already know the answer (which is rare), we have a group of folks dedicated to doing the analysis and answering the questions. In doing so, we've become really good at it.. and now offer these intelligence and analysis services as an service. We're not incident responders. We refer those who need services to partners who provide them --Red Sky Alliance members, whom we believe to be trusted, and are peer reviewed in the portal.
Need intel and analysis? Call us. Want it in a collaborative portal? We have that. Just want a subscription? We can do that too. Tell us what you need. We'll write it, and deliver it in just about any form you need it. We're heading toward STIX as we speak, cleaning up internal tagging before converting it all over, but even now, our MD5s are converted to STIX and we're looking at hosting solutions for new push/pull mechanisms. Stay tuned. We've got big things happening!
Want to know more about Wapack Labs? Drop us a note, or add your name to our list. We'll keep you up to date!
Until next time,
Have a great week!