Advertisement

SKIP ADVERTISEMENT

Russian Hackers Targeting Oil and Gas Companies

SAN FRANCISCO — Russian hackers have been systematically targeting hundreds of Western oil and gas companies, as well as energy investment firms, according to private cybersecurity researchers.

The motive behind the attacks appears to be industrial espionage — a natural conclusion given the importance of Russia’s oil and gas industry, the researchers said.

The manner in which the Russian hackers are targeting the companies also gives them the opportunity to seize control of industrial control systems from afar, in much the same way the United States and Israel were able to use the Stuxnet computer worm in 2009 to take control of an Iranian nuclear facility’s computer systems and destroy a fifth of the country’s uranium supply, the researchers said.

The Russian attacks, which have affected over 1,000 organizations in more than 84 countries, were first discovered in August 2012 by researchers at CrowdStrike, a security company in Irvine, Calif. The company noticed an unusually sophisticated and aggressive Russian group targeting the energy sector, in addition to health care, governments and defense contractors.

The group was named “Energetic Bear” because the vast majority of its victims were oil and gas companies. And CrowdStrike’s researchers believed the hackers were backed by the Russian government given their apparent resources and sophistication and because the attacks occurred during Moscow working hours.

A report released Monday by Symantec, a computer security company based in Mountain View, Calif., detailed similar conclusions and added a new element — the Stuxnet-like remote control capability.

In addition to basic hacking techniques, like sending mass emails containing malicious links or attachments, the group infected websites frequented by energy workers and investors in what is known as a “watering hole attack.”

In this attack, instead of targeting a victim’s computer network directly, hackers infect websites their targets visit often — like an online menu for a Chinese restaurant — with malicious software. Without knowing it, workers visiting that site inadvertently download the so-called malware and help the hackers get inside their computer network.

The Russian hackers were careful to cover their tracks, the researchers said. They hid their malware using encryption techniques that made it difficult to identify their tools and where they came from. In some cases, researchers found evidence that the hackers were probing the core of victims’ machines, the part of the computer known as the BIOS, or basic input/output system. Unlike software, which can be patched and updated, once a computer’s hardware gets infected, it typically becomes unusable.

F-Secure, the Finnish security firm, also told its clients last week about the Russian hacking group, which Symantec has named “Dragonfly.”

In the past six months, researchers say the group has become more aggressive and sophisticated.

The Russian hackers have been breaking into the networks of industrial control software, or I.C.S., makers, inserting so-called Trojans into the software used by many oil and energy firms to allow employees to remotely get access to industrial control systems. So when oil and gas companies downloaded the latest version of the software, they inadvertently downloaded the hackers’ malware as well.

At least three industrial control software developers were affected, according to researchers at Symantec, F-Secure and CrowdStrike. The first was a maker of remote access tools for industrial control systems; the second, a European manufacturer of specialized industrial control devices; and the third, a European company that develops systems to manage wind turbines, natural gas plants and other energy infrastructure. They were not named by the security companies because of confidentiality agreements.

Security researchers estimate that more than 250 companies downloaded the infected software updates.

“These infections not only gave the attackers a beachhead in the targeted organizations’ networks, but also gave them the means to mount sabotage operations against infected I.C.S. computers,” Symantec wrote in its report Monday.

There was no evidence the Russian group intended to use its toehold in some networks to inflict damage, like blowing up an oil rig or power facility, said Kevin Haley, the director of security response at Symantec, in an interview. The apparent motive, Mr. Haley said, was to learn more about energy companies’ operations, strategic plans and technology. “But the potential for sabotage is there,” he added.

More recently, Energetic Bear has been targeting companies in the financial sector, said Adam Meyers, CrowdStrike’s head of threat intelligence. In particular, the group has been attacking, with the watering hole technique, some websites frequented by firms that invest in the energy sector.

Once someone visits an infected site, Mr. Meyers said, attackers will infect their system, scan their device to see if it is worth hacking, and then install sophisticated hacking tools. For devices deemed uninteresting, the attackers simply clean up their tools and move along.

“They are very aggressive,” Mr. Meyers said. “And very careful to cover their tracks.”

A version of this article appears in print on  , Section B, Page 1 of the New York edition with the headline: Energy Sector Faces Attacks From Hackers in Russia. Order Reprints | Today’s Paper | Subscribe

Advertisement

SKIP ADVERTISEMENT