The U.S. government on Thursday released a cybersecurity advisory outlining multiple intrusion campaigns conducted by state-sponsored Russian cyber actors from 2011 to 2018 that targeted the energy sector in the U.S. and beyond.
“The [Federal Security Service] conducted a multi-stage campaign in which they gained remote access to U.S. and international Energy Sector networks, deployed ICS-focused malware, and collected and exfiltrated enterprise and ICS-related data,” the U.S. government said, attributing the attacks to an APT actor known as Energetic Bear.
In addition, the Justice Department charged four Russian government employees, including three officers of the Russian Federal Security Service and a computer programmer at the Central Scientific Research Institute of Chemistry and Mechanics (TsNIIKhM), for their roles in carrying out the attacks on oil refineries, nuclear facilities, and energy companies.
The four Russian nationals are Pavel Aleksandrovich Akulov(36), Mikhail Mikhailovich Gavrilov (42), and Marat Valeryevich Tyukov (39), and Evgeny Viktorovich Gladkikh (36). But in the absence of an extradition treaty between the U.S. and Russia, the chances that the four individuals will be brought to trial in the U.S. are slim.
The seven-year-long global energy sector campaign is said to have taken advantage of spear-phishing emails, trojanized software updates, and redirects to rogue websites (aka watering holes) to gain initial access, using it to deploy remote access trojans like Havex on compromised systems.
images from Hacker News