Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

ICS/OT

Russia-Linked Hackers Target Turkish Critical Infrastructure

A Russia-linked threat group has been targeting people associated with Turkish critical infrastructure through compromised Turkish sites, according to threat management firm RiskIQ.

A Russia-linked threat group has been targeting people associated with Turkish critical infrastructure through compromised Turkish sites, according to threat management firm RiskIQ.

Called Energetic Bear, but also known as Dragonfly and Crouching Yeti, the group has been active since at least 2010. First detailed in 2014, the threat group has been focused mainly on the energy sector in the United States and Europe.

In July, Cisco revealed that the group has used template injection in attacks aimed at energy facilities and other critical infrastructure organizations in the United States. At least a dozen power firms in the country were hit in these attacks, including the Wolf Creek nuclear facility in Kansas.

In late October, the Department of Homeland Security and Federal Bureau of Investigation issued a joint alert to warn of an attack campaign associated with the group that has been ongoing since at least May 2017. The attacks target entities and organizations in the energy, nuclear, water, aviation, and critical manufacturing sectors.

RiskIQ now reveals that the group leveraged a supply chain attack to compromise a website belonging to a Turkish energy company and later used the site as a watering hole attack targeting people associated with Turkish critical infrastructure.

The group injected the site with SMB credential-harvesting malware and the security researchers managed to link the infrastructure to related Turkish sites that were compromised for the same purpose.

To set up their attacks, Energetic Bear compromises websites that give them exposure to specific targets, RiskIQ explains. They used the same technique for the website of Turcas Petrol, a Turkish energy company, located at turcas.com.tr.

Advertisement. Scroll to continue reading.

The URL of an image the group included on the website “redirects to a link using the file:// scheme, which forces the connection through the file protocol, which then allows the group to harvest Microsoft SMB credentials,” the RiskIQ’s researchers explained. The compromise appears targeted at Turcas Petrol and those close with the business, which is a tactic typically employed by Energetic Bear.

According to RiskIQ, the SMB credential harvesting host is not always directly included on the websites, but an intermediary host is typically used to redirect visitors to SMB harvesting (possibly after some filtering is done).

“Additionally, the URL format of the file requested, which in this case was turcas_icon.png, is not related to the referring website. Instead, Energetic Bear seems to use a form of tagging to correlate any possible victims and their source website. The format we observed is <tag>_icon.png and <tag>.png,” the RiskIQ team says.

RiskIQ discovered that the threat group has compromised ‘general purpose’ websites too, such as plantengineering.com, which serves as an information and news hub for the critical infrastructure sector and which is owned by CFE Media LLC. Two other sites registered with the same email address were also compromised, namely controleng.com and csemag.com.

The security researchers believe that CFE Media’s other websites were affected as well, “because they’re geared toward engineers working in the critical infrastructure sector and thus prime targets for this watering hole attack.” They also note that the compromise campaign likely started between beginning of February and the end of March.

Related: DHS, FBI Warn of Ongoing APT Attack Against Critical Infrastructure

Related: Hackers Target Control Systems in U.S. Energy Firms: Symantec

Related: Template Injection Used in Attacks on U.S. Critical Infrastructure

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.

Register

Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.

Register

Expert Insights

Related Content

CISO Strategy

Cybersecurity-related risk is a top concern, so boards need to know they have the proper oversight in place. Even as first-timers, successful CISOs make...

ICS/OT

The overall effect of current global geopolitical conditions is that nation states have a greater incentive to target the ICS/OT of critical industries, while...

ICS/OT

Wago has patched critical vulnerabilities that can allow hackers to take complete control of its programmable logic controllers (PLCs).

ICS/OT

Cybersecurity firm Forescout shows how various ICS vulnerabilities can be chained for an exploit that allows hackers to cause damage to a bridge.

ICS/OT

More than 1,300 ICS vulnerabilities were discovered in 2022, including nearly 1,000 that have a high or critical severity rating.

ICS/OT

Otorio has released a free tool that organizations can use to detect and address issues related to DCOM authentication.

Cybersecurity Funding

Internet of Things (IoT) and Industrial IoT security provider Shield-IoT this week announced that it has closed a $7.4 million Series A funding round,...

ICS/OT

Siemens and Schneider Electric address nearly 100 vulnerabilities across several of their products with their February 2023 Patch Tuesday advisories.