Russian Hackers Targeting Oil and Gas Companies
By NICOLE PERLROTH

SAN FRANCISCO — Russian hackers have been systematically targeting hundreds of Western oil and gas companies, as well as energy investment firms, according to private cybersecurity researchers.

The motive behind the attacks appears to be industrial espionage — a natural conclusion given the importance of Russia’s oil and gas industry, the researchers said.

The manner in which the Russian hackers are targeting the companies also gives them the opportunity to seize control of industrial control systems from afar, in much the same way the United States and Israel were able to use the Stuxnet computer worm in 2009 to take control of an Iranian nuclear facility’s computer systems and destroy a fifth of the country’s uranium supply, the researchers said.

The Russian attacks, which have affected over 1,000 organizations in more than 84 countries, were first discovered in August 2012 by researchers at CrowdStrike, a security company in Irvine, Calif. The company noticed an unusually sophisticated and aggressive Russian group targeting the energy sector, in addition to health care, governments and defense contractors.

The group was named “Energetic Bear” because the vast majority of its victims were oil and gas companies. And CrowdStrike’s researchers believed the hackers were backed by the Russian government given their apparent resources and sophistication and because the attacks occurred during Moscow working hours.

A report released Monday by Symantec, a computer security company based in Mountain View, Calif., detailed similar conclusions and added a new element — the Stuxnet-like remote control capability.

In addition to basic hacking techniques, like sending mass emails containing malicious links or attachments, the group infected websites frequented by energy workers and investors in what is known as a “watering hole attack.”

In this attack, instead of targeting a victim’s computer network directly, hackers infect websites their targets visit often — like an online menu for a Chinese restaurant — with malicious software. Without knowing it, workers visiting that site inadvertently download the so-called malware and help the hackers get inside their computer network.

The Russian hackers were careful to cover their tracks, the researchers said. They hid their malware using encryption techniques that made it difficult to identify their tools and where they came from. In some cases, researchers found evidence that the hackers were probing the core of victims’ machines, the part of the computer known as the BIOS, or basic input/output system. Unlike software, which can be patched and updated, once a computer’s hardware gets infected, it typically becomes unusable.

F-Secure, the Finnish security firm, also told its clients last week about the Russian hacking group, which Symantec has named “Dragonfly.”

In the past six months, researchers say the group has become more aggressive and sophisticated.

The Russian hackers have been breaking into the networks of industrial control software, or I.C.S., makers, inserting so-called Trojans into the software used by many oil and energy firms to allow employees to remotely get access to industrial control systems. So when oil and gas companies downloaded the latest version of the software, they inadvertently downloaded the hackers’ malware as well.

At least three industrial control software developers were affected, according to researchers at Symantec, F-Secure and CrowdStrike. The first was a maker of remote access tools for industrial control systems; the second, a European manufacturer of specialized industrial control devices; and the third, a European company that develops systems to manage wind turbines, natural gas plants and other energy infrastructure. They were not named by the security companies because of confidentiality agreements.

Security researchers estimate that more than 250 companies downloaded the infected software updates.

“These infections not only gave the attackers a beachhead in the targeted organizations’ networks, but also gave them the means to mount sabotage operations against infected I.C.S. computers,” Symantec wrote in its report Monday.

There was no evidence the Russian group intended to use its toehold in some networks to inflict damage, like blowing up an oil rig or power facility, said Kevin Haley, the director of security response at Symantec, in an interview. The apparent motive, Mr. Haley said, was to learn more about energy companies’ operations, strategic plans and technology. “But the potential for sabotage is there,” he added.

More recently, Energetic Bear has been targeting companies in the financial sector, said Adam Meyers, CrowdStrike’s head of threat intelligence. In particular, the group has been attacking, with the watering hole technique, some websites frequented by firms that invest in the energy sector.

Once someone visits an infected site, Mr. Meyers said, attackers will infect their system, scan their device to see if it is worth hacking, and then install sophisticated hacking tools. For devices deemed uninteresting, the attackers simply clean up their tools and move along.

“They are very aggressive,” Mr. Meyers said. “And very careful to cover their tracks.”

俄能源駭客囂張 油氣商緊張

網路安全公司研究員表示，俄羅斯駭客有系統地鎖定上百家歐美能源與能源投資公司，有能力遠距控制業者的電腦設施，可以阻斷電力供應或挾持工業控制設備。

資安公司賽門鐵克（Simontec）30日在部落格貼文說，這群稱為「蜻蜓」（Dragonfly）的俄國駭客，顯然擁有資源、規模和組織，都在莫斯科和東歐國家當地朝九晚六的固定時間活動，顯示可能有政府力量介入。他們主要鎖定輸電網、油管和電力公司等具備戰略重要性的能源公司。

賽門鐵克指出，逾半數入侵現象在美國與西班牙發現。但塞爾維亞、希臘、羅馬尼亞、波蘭、土耳其、德國、義大利和法國也被列為目標。

賽門鐵克說：「這個『蜻蜓』團體資源很豐富，有許多惡意軟體可供其使用，能夠從許多不同的方位發動攻擊。這些病毒不僅讓攻擊者在目標組織的網路建立橋頭堡，也賦予他們進行破壞的工具。」

紐約時報報導，俄國駭客的攻擊最早由加州資安公司CrowdStrike於2012年8月發現，總共波及全球逾84國的超過1,000家企業，除了鎖定能源產業、醫療，政府和國防等領域也遭波及。

研究員指出，他們的攻擊動機應該是工業間諜活動，但也可能為了掌控工業控制系統。例如，美國和以色列2009年曾利用電腦病毒Stuxnet控制伊朗核能裝置的電腦系統，並銷毀五分之一的鈾供應。

研究員指出，俄國駭客除了用大量發送挾帶惡意連結或附檔信件的常見手法，慣用伎倆還有「水坑」攻擊，指的是駭客在目標電腦經常連上的網站植入惡意軟體，因此下回用戶登錄網站時，會不小心把病毒下載到電腦裡，讓駭客長驅直入。

俄國駭客主要鎖定入侵工業控制軟體。據估計，至少已有三家這類軟體開發商被駭，另有逾250家公司下載挾帶病毒的更新版軟體。

原文參照：
http://www.nytimes.com/2014/07/01/technology/energy-sector-faces-attacks-from-hackers-in-russia.html

紐約時報中文版翻譯：
http://cn.nytimes.com/technology/20140701/c01cyber/zh-hant/

2014-07-02．經濟日報．A8．國際視野．編譯莊雅婷