Ideas for defending against cyberespionage

Russian hackers who broke into the networks of Western oil and gas companies used techniques that companies can detect and oftentimes defend against, experts say.

The Russian Federation-based group compromised corporate systems by planting malware in technology suppliers' software and compromising websites visited by energy company employees, Symantec said in a recent report on the attacks.

[Chinese cyberspies U.S., European defense, space sectors]

The attackers, which have been operating at least since 2011, were bent on stealing intellectual property and other sensitive information mostly from energy grid operators, major electricity generators, oil pipeline operators and industrial equipment providers. The majority of the targets were in the U.S., Spain, France, Italy, Germany, Turkey and Poland.

The attackers' favorite malware was Backdoor.Oldrea, also known as Havex or the Energetic Bear RAT. Oldrea, custom malware either developed by the group or for it, acted as a back door that let the hackers extract data and install additional software.

The majority of command and control servers appeared to be hosted on compromised computers running content management systems. Oldrea has a basic control panel that lets an authenticated user download a compressed version of data stolen from each victim.

Tools that monitor network traffic can detect such malware when data moving from an internal source suddenly spikes and the traffic is headed toward an untrusted site, Adam Kujawa head of malware intelligence at Malwarebytes, said.

Intrusion detection systems (IDSs) could help by identifying Web addresses sending and receiving data that is suspicious.

"Many government networks utilize block lists and closely monitor network activity to keep an eye out for anything anomalous," Kujawa said. "This is a very common method of identifying previously unseen malware."

Security products that scan systems for unusual activity could also help. "Even something as small as a single value in the system registry being incorrect could be enough to launch an investigation of infection on a system," he said.

Another effective technique is egress filtering, which is the practice of monitoring traffic from a corporate network to the Internet via a router, firewall or similar device.

"With simple egress filtering, an organization can identify communication paths that don't belong on the network and block them," Jim Gilsinn, senior investigator for Kenexis Consulting, said.

Any device on a network of industrial control systems that need access to Internet domains should go through a Web proxy that enforces a white list of acceptable sites, Gilsinn said.

The Russian hackers often compromised websites visited by a company's employees in order to download malware. Such so-called watering-hold attacks can be stymied by adding script-blocking extensions to browsers.

The extensions prevent scripts, such as JavaScript, Silverlight, Flash and Frames, from running unless they are from an approved domain, Gilsinn said.

Another defensive strategy is to sandbox the browser using a tool like Sandboxie, Kevin Lawrence, senior security associate for consultancy Bishop Fox, said. "Sandboxie will limit or prevent downloaded malware from accessing your system."

As a best practice, browser software and plugins should always be kept up to date with patches and upgrades to ensure that at least all known vulnerabilities have been fixed.

An indication of the sophistication of the Russian group, named Energetic Bear, was how it broke into the networks of industrial control software makers and compromised products used by many oil and gas companies.

Symantec found three industrial control system (ICS) manufacturers whose software had been compromised in this way. Malware-infected products included software that provided virtual private network (VPN) access to ICS hardware, a software driver and applications used to manage wind turbines and biogas plants.

The names of the companies were not disclosed.

For manufacturers to protect customers from such threats, experts suggested using hash values for accessing the software to ensure it has not been tampered with.

"By providing a way to validate that the download matched the original one posted on the site, the end user can better assume that the files have not been tampered with," Gilsinn said.

With so much business being conducted with suppliers online, Mike Lloyd, chief technology officer for RedSeal Networks, recommended companies map out and monitor all network connections.

"This has been ignored for too long, leading to a rat's nest of legacy connections that are poorly understood, shadowy, and hence ideal attack pathways," Lloyd said.

[Export controls place cybersecurity on par with military weaponry]

Because no single technology is capable of blocking or detecting all attacks, Symantec recommends a "layered approach" to protecting the corporate network.

"Any single layer that the attacker is unable to bypass can prevent successful data exfiltration," Eric Chien, technical director at Symantec's Security Technology and Response team, said.

Join the CSO newsletter!

Error: Please check your email address.

Tags cybersecuirtyindustrial-control systemsapplicationsdata securitycyber espionagedata breach preventioncybersecurity researchdata loss preventionhacker groupssymantecdata encryptionsecurityindustrial espionagesoftwareindustrial securitydata protection

More about DragonflyIntrusionMalwarebytesSymantecTechnology

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Antone Gonsalves

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts