Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

ICS/OT

Researchers Analyze Servers Compromised by Russian Hackers

Researchers from Kaspersky Lab ICS CERT have analyzed servers compromised by the infamous threat actor known as Energetic Bear in recent years.

Researchers from Kaspersky Lab ICS CERT have analyzed servers compromised by the infamous threat actor known as Energetic Bear in recent years.

Active since at least 2010, the group is also referred to as Dragonfly and Crouching Yeti, and has been mainly focused on companies in the energy and industrial sectors. Following an alert in October 2017 on ongoing attacks from the group, a March 2018 advisory from the Department of Homeland Security (DHS) and the Federal Bureau of Investigation (FBI) linked the group to the Russian government.

In a separate report last Month, endpoint security firm Cylance revealed that the hackers compromised a Cisco router and abused it to steal credentials that allowed them to set up attacks targeting energy companies in the United Kingdom.

The servers Kaspersky researchers analyzed are distributed worldwide: Russia, Ukraine, UK, Germany, Turkey, Greece, and the United States. Most of the compromised servers were used to launch waterhole attacks, while the remaining ones were employed for collecting user data in the waterhole attack, and some also for tool hosting.

As part of these attacks, the group attempted to extract various data from the user’s connection to the waterhole, such as user IP, user name, domain name, and NTLM hash of the user’s password, Kaspersky reveals.

In some cases, the compromised servers were used to conduct attacks on other resources, with the attackers employing numerous tools to scan websites and servers. Most of the scanned resources were located in Russia, Ukraine, and Turkey, with Brazil, Georgia, Kazakhstan, Switzerland, U.S., France, and Vietnam also hit.

While the scanned sites and servers don’t appear to be connected, the attackers likely targeted them while looking for suitable hosts for their tools, in an attempt to set up further attacks. The researchers did not identify multiple attempts to compromise a specific target, with the exception of several cases.

On the compromised servers, Kaspersky found multiple open-source and publicly available tools, including Nmap (network analysis), Dirsearch (brute forcing directories and files on websites), Sqlmap (SQL injection exploitation), Sublist3r (enumerates website subdomains), Wpscan (WordPress vulnerability scanner), Impacket, SMBTrap, Commix (vulnerability search and command injection), Subbrute (subdomain enumeration), and PHPMailer (mail sending).

Advertisement. Scroll to continue reading.

A custom Python script named ftpChecker.py and capable of checking FTP hosts from an incoming list was also found on one of the servers.

The researchers also found a series of malicious php files in different directories in the nginx folder, as well as in a working directory the attackers created on an infected web server. A modified sshd with a preinstalled backdoor was also discovered there.

The backdoor is similar to a tool publicly available on GitHub, and can be compiled on any OS. By replacing the original sshd file on the infected server, the attackers can use a ‘master password’ to log to the remote server, leaving minimal traces.

On the compromised servers, the attackers installed the tools they needed at different times (including any packages and tools for Python). The hackers logged on to the server roughly at the same time of the day, and checked the smbtrap log file on working days.

By using publicly available tools, the attackers made attribution without any additional ‘markers’ very difficult. The attackers also show diversity of interests and could potentially target any server on the Internet when looking to establish a foothold.

In most cases, the security researchers determined that the group performed tasks related to searching for vulnerabilities, gaining persistence, and stealing authentication data.

“It can be assumed with some degree of certainty that the group operates in the interests of or takes orders from customers that are external to it, performing initial data collection, the theft of authentication data and gaining persistence on resources that are suitable for the attack’s further development,” Kaspersky concludes.

Related: Russian Cyberspies Hacked Routers in Energy Sector Attacks

Related: Sofacy Targets European Govt as U.S. Accuses Russia of Hacking

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

ICS/OT

The overall effect of current global geopolitical conditions is that nation states have a greater incentive to target the ICS/OT of critical industries, while...

CISO Strategy

Cybersecurity-related risk is a top concern, so boards need to know they have the proper oversight in place. Even as first-timers, successful CISOs make...

ICS/OT

Wago has patched critical vulnerabilities that can allow hackers to take complete control of its programmable logic controllers (PLCs).

Cybercrime

Energy giants Schneider Electric and Siemens Energy confirm being targeted by the Cl0p ransomware group in the campaign exploiting a MOVEit zero-day.

ICS/OT

Otorio has released a free tool that organizations can use to detect and address issues related to DCOM authentication.

ICS/OT

Municipal Water Authority of Aliquippa in Pennsylvania confirms that hackers took control of a booster station, but says no risk to drinking water or...

ICS/OT

Mandiant's Chief analyst urges critical infrastructure defenders to work on finding and removing traces of Volt Typhoon, a Chinese government-backed hacking team caught in...