Relive the Cold War, for fun and profits!

Illustration for article titled Relive the Cold War, for fun and profits!

It could be a news item from 1956, if not for the fact that it played out on the Internet.


According to cybersecurity firm Crowdstrike (tagline "You Don't Have a Malware Problem, You Have an Adversary Problem") the Russian government has been spying on American corporations for years and handing the results of this industrial espionage over to Russian companies. In essence, the Russian government is acting as the spying arm of Russian corporate interests, apparently for free and out of nothing more than a patriotic urge to support their fellow citizens.


"These attacks appear to have been motivated by the Russian government's interest in helping its industry maintain competitiveness in key areas of national importance," Crowdstrike CTO Dmitri Alperovitch told Reuters. He went on to say that while his company has previously fingered China in similar attacks, this is the first case where the government of Russia has specifically targeted corporations. "They are copying the Chinese play book. Cyber espionage is very lucrative for economic benefit to a nation."


According to Crowdstrike's Global Threat Report [PDF], they have identified an actor in the cyberwarfare field as "ENERGETIC BEAR, an adversary with a nexus to the Russian Federation, [who] targeted a variety of government and research targets, as well as a large number of energy sector targets. This actor used an advanced implant with several unique characteristics; additionally, they leveraged several unique toolsets and secondary implants to pursue R&D and strategically valuable information." In the report itself, they are careful to claim that Energetic Bear only has "a nexus to the Russian Federation" rather than identifying it directly as the government. They also said it "is operating out of Russia, or at least on behalf of Russia-based interests, and it is possible that their operations are carried out with the sponsorship or knowledge of the Russian state." They claim to have been able to trace the actions of this entity as far back as 2011, and they identify it as deeply involved with the rash of attacks on energy sector targets in September of 2013.

That all speaks of a degree of sophistication, longevity, and complexity that is well beyond what civilian teams or any one individual can typically achieve. There is clearly a team behind this, a team with many and deep skill sets, a unified goal, and a timeline that spans years. These are all characteristics of government or military missions rather than typical hacker crew or for-hire teams.


The method employed by so-called Energetic Bear is what's called a "watering hole" attack, where a website popular with the target is identified — like a professional association's website, or an industry-specific news site — and the attacker goes after that site. This way, the attacker routes around the protections the target has built into their own site, rendering them irrelevant. Then, when the target goes to that website, he is compromised, and the game is on.

In addition to watering hole attacks, Crowdstrike reports that Energetic Bear uses exploits in Adobe Reader, which is unsettling to read in a PDF document one is reading in...Adobe Reader.


The primary target was, as mentioned, the energy sector. Russia is the largest exporter of oil and gas to the EU, so the industry is of key importance to the government. To all governments, in fact.

The watering hole attacks injected the targets with one of two bits of code: HAVEXRAT or SYSMain RAT. RAT technology, short for Remote Administration Tools, has mainly hit the press for its use by creepers to snag webcam video of naked women. It is, however, an incredibly powerful tool that gives an intruder access to everything on your computer that you have access to, without you knowing. It's the same kind of technology that enables Microsoft to scan your system for bugs or pirated software and take action, although they are more polite and ask permission.


Crowdstrike says they have traced different iterations of those two RAT types back through 25 different versions, the most recent version of HAVEX RAT dating to October of 2013. Once the infection is in place it does three things: seeks out information about the infected computer like it's operating system, file directories, etc; nabs passwords and other info that the computer user inputs around the web from the point of infection forward; communicates with other computers secretly and stores and executes instructions from an outside source. It's every sysadmin's nightmare in one package.

They have identified infected computers in the US, Japan, Poland, Greece, Romania, Spain, France, Turkey, China, Germany, and 12 other countries. Victims were in the US energy sector, European government; European, U.S., and Asian academia; European, U.S., and Middle Eastern manufacturing and construction industries; European defense contractors; European energy providers; U.S. healthcare providers; European IT providers; European precision machinery tool manufacturers; and research institutes. "Targeted entities and countries are consistent with likely strategic interests of a Russia-based adversary," says Crowdstrike, while also pointing out that they did find a few infected computers within the Russian Federation itself. A Russian origin for the Energetic Bear attacks is supported by the fact that the infected computers' covert activity peaks corresponds with Russian work hours.


So, a force whose parameters fit a government/military profile has been infecting computers belonging to US energy sector companies, stealing passwords, snooping files, and installing unknown software. What could possibly go wrong?

Currently, Europe gets about a fifth of its natural gas from Russia, via the Ukraine. Given the long-simmering and currently exploding unrest in Ukraine, the more advantages the Russian energy sector can gain, the better, from a Russian standpoint at least. Conflicts over the gas market have dominated Ukrainian/Russian relations for many years, threatening peace in the region. Russia cannot afford to lose the Ukraine, both as a market and as a pipeline to the lucrative European markets.


But there's not much the Russian Federation can do about the biggest threat to its energy industry: the out-of-control uprising in exactly the spot where it threatens to block Russian gas shipments to its biggest client, the EU.

It does no good to underbid American interests if you cannot then get the product to the customer.

Share This Story

Get our newsletter