Russian hackers who broke into the networks of Western oil and gas companies used techniques that companies can detect and oftentimes defend against, experts say.
The Russian Federation-based group compromised corporate systems by planting malware in technology suppliers' software and compromising websites visited by energy company employees, Symantec said in a recent report on the attacks.
[Chinese cyberspies U.S., European defense, space sectors]
The attackers, which have been operating at least since 2011, were bent on stealing intellectual property and other sensitive information mostly from energy grid operators, major electricity generators, oil pipeline operators and industrial equipment providers. The majority of the targets were in the U.S., Spain, France, Italy, Germany, Turkey and Poland.
The attackers' favorite malware was Backdoor.Oldrea, also known as Havex or the Energetic Bear RAT. Oldrea, custom malware either developed by the group or for it, acted as a back door that let the hackers extract data and install additional software.
The majority of command and control servers appeared to be hosted on compromised computers running content management systems. Oldrea has a basic control panel that lets an authenticated user download a compressed version of data stolen from each victim.
Tools that monitor network traffic can detect such malware when data moving from an internal source suddenly spikes and the traffic is headed toward an untrusted site, Adam Kujawa head of malware intelligence at Malwarebytes, said.
Intrusion detection systems (IDSs) could help by identifying Web addresses sending and receiving data that is suspicious.
"Many government networks utilize block lists and closely monitor network activity to keep an eye out for anything anomalous," Kujawa said. "This is a very common method of identifying previously unseen malware."
Security products that scan systems for unusual activity could also help. "Even something as small as a single value in the system registry being incorrect could be enough to launch an investigation of infection on a system," he said.
Another effective technique is egress filtering, which is the practice of monitoring traffic from a corporate network to the Internet via a router, firewall or similar device.
"With simple egress filtering, an organization can identify communication paths that don't belong on the network and block them," Jim Gilsinn, senior investigator for Kenexis Consulting, said.
Any device on a network of industrial control systems that need access to Internet domains should go through a Web proxy that enforces a white list of acceptable sites, Gilsinn said.
The Russian hackers often compromised websites visited by a company's employees in order to download malware. Such so-called watering-hold attacks can be stymied by adding script-blocking extensions to browsers.
The extensions prevent scripts, such as JavaScript, Silverlight, Flash and Frames, from running unless they are from an approved domain, Gilsinn said.
Another defensive strategy is to sandbox the browser using a tool like Sandboxie, Kevin Lawrence, senior security associate for consultancy Bishop Fox, said. "Sandboxie will limit or prevent downloaded malware from accessing your system."
As a best practice, browser software and plugins should always be kept up to date with patches and upgrades to ensure that at least all known vulnerabilities have been fixed.
An indication of the sophistication of the Russian group, named Energetic Bear, was how it broke into the networks of industrial control software makers and compromised products used by many oil and gas companies.
Symantec found three industrial control system (ICS) manufacturers whose software had been compromised in this way. Malware-infected products included software that provided virtual private network (VPN) access to ICS hardware, a software driver and applications used to manage wind turbines and biogas plants.
The names of the companies were not disclosed.
For manufacturers to protect customers from such threats, experts suggested using hash values for accessing the software to ensure it has not been tampered with.
"By providing a way to validate that the download matched the original one posted on the site, the end user can better assume that the files have not been tampered with," Gilsinn said.
With so much business being conducted with suppliers online, Mike Lloyd, chief technology officer for RedSeal Networks, recommended companies map out and monitor all network connections.
"This has been ignored for too long, leading to a rat's nest of legacy connections that are poorly understood, shadowy, and hence ideal attack pathways," Lloyd said.
[Export controls place cybersecurity on par with military weaponry]
Because no single technology is capable of blocking or detecting all attacks, Symantec recommends a "layered approach" to protecting the corporate network.
"Any single layer that the attacker is unable to bypass can prevent successful data exfiltration," Eric Chien, technical director at Symantec's Security Technology and Response team, said.