Russian hackers appear to be targeting Western energy interests for cyber espionage, according to a report to be issued Wednesday by a security research firm.
Though researchers at CrowdStrike say they do not have definitive proof, they say they found links between command and control servers to Russian-language hosting services.
If true, it would be one of the first reports alleging Russian cyber efforts aimed at U.S. and European energy companies. Up to now, most reports have focused on the Chinese.
“They’re taking the Chinese playbook,” said Dmitri Alperovitch, CrowdStrike cofounder and chief technology officer.
Some analysts say that Russia’s interest in the sector would not be surprising given that the oil market comprises 70 percent of its economy.
The researchers said they saw indicators in malware they analyzed that “tie back to possible Russian” hackers, and some of the command and control servers used were linked to Russia-based hosts. Also, the hackers were active during business hours in Moscow, the report said.
The hacking group, which CrowdStrike dubbed Energetic Bear, has been active since at least August 2012, said Adam Meyers, CrowdStrike’s vice president of intelligence. Energetic Bear is also targeting Japan, China and Turkey, Meyers said. He said the data harvested from the companies could be useful “in support of political or diplomatic operations involving the use of energy resources.”
Crowdstrike’s report also warned that malicious hackers have developed “zero day” cyber attack tools that can be used to compromise the widely used Microsoft Windows XP operating system, apparently eager to take advantage of the firm’s announced end to its support program.
As of April 8, Microsoft will no longer be sending out patches to fix vulnerabilities in the Windows XP, which was launched in 2001 and has been superseded by Windows 7 and Windows 8.
But some 20 percent of the world’s computers are still running XP, and some systems such as bank ATMs and airport check-in kiosks use versions of XP, Meyers said.
Zero days are software tools that can be used to exploit previously unknown vulnerabilities in computer systems. With Microsoft ending its support program, those zero days will be worth a lot more money on the black market because the firm will not be patching vulnerabilities, Meyers said.
“We’ve seen some chatter [on sites discussing zero days] that supports the conclusion that there are researchers out there that have weaponized exploits for Windows XP that they’re waiting to release,” Meyers said.
Security researcher Brian Krebs said he did not think exploits being store-housed “would be any more or less valuable now versus later because sometimes they are good against multiple versions of Windows.”
But, he said, he agreed the lack of patching “is a problem. It’s a big problem.”
To steal data from the energy companies, the Russians used a technique known as “strategic web compromise,” in which hackers place malware on a Web site or Web page that the targeted company’s employees are expected to visit. When the employee navigates to the compromised Web site, his computer is surreptitiously infected with spyware that enables the hackers to gain potential access to his computer and hunt for information of interest.
Also called “watering hole” attacks, the technique was on the rise in 2013, the report said. It was also used by the Chinese in a variety of cyber espionage campaigns, it said. In one instance, the report said, the Chinese compromised a Harvard University Web site with a number of infected pages concerning military and international relations.