The spread of the Stuxnet worm served as a critical reminder to cyber security teams around the globe of the significant damage that can be caused by a cyber-attack. This rang especially true for those working in critical infrastructure that learned a 500 KB computer worm caused the fast-spinning centrifuges of Iran’s Natanz nuclear site to tear themselves apart. As malware evolves and becomes more complex, so must the technology being utilized to defend against advanced persistent threats.
‘Energetic Bear’, or ‘Crouching Yeti’, is an actor involved in several advanced persistent threat (APT) campaigns, whose existence has been known since 2011. However, according to a recent study from security firm F-Secure, attacks targeted toward Industrial Control Systems (ICS) have occurred as recently as the spring of 2014. The ‘Energetic Bear’ campaign is centered on the use of the HAVEX Remote Access Trojan, or RAT, to acquire PII about the victims system, harvesting passwords, personal information, etc. According to a June ICS-CERT Advisory, HAVEX RAT is gaining access to targeted systems through phishing emails, redirects to compromised web sites and most recently embedded itself within update installers on at least three ICS vendor web sites. These have been referred to as ‘watering hole-style attacks’ or strategic web compromise activity. Once the targeted system has been infected, the compromised installer will execute malicious code that allows the attacker to install a backdoor to gain complete control of the machine.
The majority of the 2,800 companies identified as victims of the attack are in the industrial and machinery sectors. Most of the countries targeted from these attacks were the United States, Spain, Japan and Germany. Interestingly, none of the exploits used to compromise servers hosting trojanized software installers were known to be zero-day attacks. However, the HAVEX RAT is mutating quickly and F-Secure has analyzed 88 variants of the RAT since late June.
What can be done to combat this threat?
Protecting organizations from this type of cyber-attack requires that endpoints and web browsers are kept up-to-date to reduce the number of security vulnerabilities that hackers can exploit. Managers of an ICS facility should request that their vendors provide hash values for all software patches, updates, and installers to validate the integrity on the vendor side. Once received on the ICS side, managers should scan the software update with multiple anti-malware engines to confirm the hash value is consistent and the patch is malware-free. ICS facility managers should also fully scan any archive files to ensure there is no contamination. Lastly, administrators of secure facilities should ensure that a portable media security solution is in place for scanning all peripheral devices for malware prior to allowing the devices into the security facility.
Administrators should leverage security solutions, such as OPSWAT’s MetaDefender, that allow them to configure appropriate and effective security policies. By configuring appropriate security policies for certain users, administrators limit the risks present on unknown portable devices. In addition to secure data workflows, digital data present on a portable device should be scanned with multiple anti-malware engines to increase the likelihood of detecting and preventing advanced threats.
‘Energetic Bear’ is simply the latest in a series of cyber-attacks on critical infrastructure, domestically and abroad. Avoiding infection from this bug will require administrators to monitor the web traffic of their end users, request hash values of all software updates and possess the ability to detect new variants of this threat. With hash-based software updates, setting appropriate security policies and scanning portable media with multiple anti-malware engines, administrators can thoroughly eradicate any possibility of being compromised from HAVEX RAT.
