Energy Sector Targeted by Russian Cyber Actors
Energy Sector Targeted by Russian Cyber Actors
Efforts from Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the Department of Energy (DOE) shares information of Russian-state sponsored hackers conducting various threat campaigns against the energy sector from 2011 to 2018. The responsible threat actor, FSB (also known as Berserk Bear, Energetic Bear, TeamSpy, Dragonfly, Havex, Crouching Yeti, and Koala) initiated the attacks, targeting energy sectors in the United States and internationally. The United States Department of Justice (DOJ) has indicted four Russian nationals, employed by the Russian government, for their involvement in hack campaigns against the global energy sector between 2021 and 2018. One of the primary malware used in the campaign was Havex. The threat actor's tactics shifted from conducting spear-phishing campaigns in 2013, to compromising third-party entities associated with their target in 2016. A summarized attack chain shared by CISA states, "after obtaining access to the U.S. Energy Sector networks, the actor conducted network discovery, moved laterally, gained persistence, then collected and exfiltrated information pertaining to ICS from the enterprise, and possibly operational technology (OT), environments. Exfiltrated information included: vendor information, reference documents, ICS architecture, and layout diagrams." Various tactics, techniques and procedures are referenced in the CISA advisory with applicable detections from Anvilogic provided below.