Monday, March 9, 2015

Critical Infrastructures And The Energetic Bear ... Big Picture Implications



Who are they?
Energetic Bear is an Advanced Persistent Threat (APT) group whose targets lie mostly within the energy sector. In addition to targeting the energy sector, they have also targeted organizations in other verticals such as Aviation and Defense. The countries targeted by this group were US, Canada, Spain, France, Italy, Germany, Turkey and Poland. Their attacks are carried out via methods such as spear phishing, watering hole, remote access tools and trojanized software (Symantec, 2014). While some researchers state the group operates in Eastern Europe (Symantec, 2014), others have been more confident and specific, suggesting that this threat actor is directly connected to the Russian Government. It is believed that the objective of the Russian Government is to promote Russia’s national economic interest along with helping its industries to maintain competiveness in key areas of national importance (Finkle, 2014).

The Big Picture Implication
Groups like Energetic Bear poses a clear and present threat to our Critical Infrastructures and hence our National Security. By successfully penetrating organizations within our Energy Sector this group may be in a position to control the amount of heat we get in our homes during the winter, blow up a nuclear energy facility or even flood a hydro dam. While the primary impact may be physical destruction, the secondary and other consequential damages can be devastating. For any of the above, there can be significant loss of life, significant economic loss and or mass hysteria. Communications systems can be affected thus affecting emergency services personnel from being able to successfully perform their duties. The Energy Sector is basically the engine that drives the other 15 Critical Infrastructure Sectors and any threat that reduces its effectiveness and or the quality of its output, immediately affects the input to the 15 other critical infrastructure sectors. A 30-minute power outage is said to cost business around US$15,709. For shorter blackouts which occurs several times a year in the United States (US) it is reported than this results has an annual economic loss of between US$104 and US$164 billion (agcs.allianz.com, n.d.).  The significant of these numbers show that for any situation of which the real owners and operators of these infrastructures do not have full control of their systems, the outcomes of someone malicious gaining control cannot be over stated.

What should be done about this group?
The ultimate objective when dealing with groups like Energetic Bear would be to work with the Governments and owners of Critical Infrastructures along with the rest of the security community, combining efforts towards dismantling the group or the creation of initiatives which may reduce its effectiveness. However, one should be aware that it can be very difficult to attribute attacks in cyber space (Schneier, 2015).  As can be seen above, Symantec suggested that the group operates out of Eastern Europe (giving Symantec a broad territory) while CrowdStrike was more specific claiming it was the Russian government.  
While dismantling the group would be very nice to achieve, the reality is we need to make greater effort at securing our systems and critical infrastructures.  The vulnerabilities exploited by Energetic Bear (CVE-2013-2465, CVE-2013-1347, and CVE-2012-1723 in Java 6, Java 7, IE 7 and IE 8) (kasperskycontenthub.com)were already known and should have been patched.  If for business reasons these devices were or are unable to be patched, all efforts should be made to ensure the relevant technical and or administrative controls are in place to mitigate any attacks destined for these hosts. However, since Energetic Bear exploits Internet Explorer (IE) and Java, these being known client side applications, I will conclude that business reasons may not have been the primary reason why these devices were on patched.  
Some of the technical controls which may work in these situations are reducing and or eliminating the use of administrative credentials, implementation of Intrusion Prevention Systems (IPS) which should block this communication from being successful and or Security Information Event Management (SIEM) solutions which can help to store logs, correlate data and alert on potential threats if they were successful. While these solutions may not prevent these attacks, it does help an organization to understand the scale of the attack if and or when it is has been successfully targeted and compromise, while also reducing its attack surface.

Conclusion
Attribution in cyber space is very difficult, this makes justified retaliation extremely hard. Similarly defense is harder than offence, thus we need to ensure we are recording as much relevant information as possible and where possible. From a big picture perspective, these groups pose a clear and present threat to Critical Infrastructures and hence National Security. Containing APT Threat Actors like Energetic Bear may be difficult, thus protecting our infrastructure and systems through either prevention or detection solutions should be paramount.

References

(n.d.). Retrieved from kasperskycontenthub.com: https://kasperskycontenthub.com/securelist/files/2014/07/EB-YetiJuly2014-Public.pdf
(n.d.). Retrieved from agcs.allianz.com: http://www.agcs.allianz.com/insights/expert-risk-articles/energy-risks/
Finkle, J. (2014, January 22). Retrieved from reuters.com: http://www.reuters.com/article/2014/01/22/us-russia-cyberespionage-idUSBREA0L07Q20140122
Schneier, B. (2015, January 8). Retrieved from schneier.com: https://www.schneier.com/blog/archives/2015/01/attack_attribut.html
Symantec. (2014, June 30). Retrieved from symantec.com: http://www.symantec.com/connect/blogs/emerging-threat-dragonfly-energetic-bear-apt-group

2 comments: