Security researchers have revealed how a Russian hacker group compromised a core Cisco router used by one of Vietnam’s largest oil rig manufacturers to harvest credentials and then to target several energy and critical infrastructure firms in the UK last year.
This Russian hacker group was also accused by the U.S. government for interfering in the 2016 presidential election as well as for carrying out last year's NotPetya attacks to target a large number of firms across the globe.
Security research firm Cylance has published an eye-opening report detailing the activities of a powerful Russian hacker group which was allegedly behind a spate of cyber attacks on several energy firms in the UK last year. The hacker group, known variously as DragonFly, Energetic Bear, Crouching Yeti, DYMALLOY, and Group 24, is considered to be close to the Russian government and carries out its missions on directions from the government.
While the hacker group has been active since 2014, it is now viewed as a major threat in the UK because of its involvement in recent cyber attacks on “energy, nuclear, commercial facilities, water, aviation, and critical manufacturing sectors” in the country.
Attacks on the UK's critical infrastructure industries
According to researchers at Cylance, the Russian hacker group compromised and exploited "an end-of-life Cisco Infrastructure Router belonging to a large state-owned Vietnamese energy conglomerate" to launch phishing attacks on targeted energy sector organizations in the UK. The attacks were launched via phishing emails that purportedly contained Curriculum Vitae of a “Jacob Morrison.”
Once an employee opened the attachment, it would fetch a remote template and attempt to automatically authenticate to a malicious SMB server by providing the victim's encrypted user credentials. The researchers added that the hackers referenced malicious URLs by an ID which could easily be modified to bypass limited antivirus detections and was previously linked to previous GitHub project outlining a phishing attack.
"This is a discovery whose significance far outweighs its size, given that core router compromises are considerably harder to detect, analyze, patch, and remediate than compromises of PCs.
"The use of compromised routing infrastructure for collection or command and control purposes is not new, but its detection is relatively rare. That’s because the compromise of a router very likely implicates the router’s firmware and there simply aren’t as many tools available to the forensic investigator to investigate them," noted Cylance.
"The fact that the threat actor is using this type of infrastructure is a serious and worrisome discovery, since once exploited, vulnerabilities in core infrastructure like routers are not easily closed or remediated.
"While the end goals of these campaigns can only be speculated upon, their very existence across an array of power companies in several countries should be of great concern to governments, the companies themselves, and all those who rely upon their critical services," it added.
Yet another Russian hacking operation
The discovery of last year's phishing attacks on the UK's critical infrastructure firms comes at a time when ties between the UK and Russia are at a historical low because of the alleged use of a banned nerve agent by Russian actors on UK soil. As per reports, the government was so enraged that it was thinking about launching offensive cyber operations against Russia in response.
The discovery also proves that reports about the threat faced by critical infrastructure firms in the UK were true and accurate. In February, intelligence provider Anomali released its UK Threat Landscape report in which it highlighted the extent to which critical infrastructure organisations in the UK were vulnerable to potent cyber attacks and existing weaknesses that needed to be plugged to ensure such organisations were immune from emerging cyber threats.
“The UK presents a complex cyber risk picture – previous foreign policy commitments and current tensions between NATO and other nation states make it a target for international terror organisations.
"Within the UK, the nature of the economy and industry present a combination of opportunity and risk to those looking to plan a hybrid attack. The network of small and medium enterprises which support Critical National Infrastructure strengthens its resilience, whereas the geographical clustering of industries can weaken the system leaving them vulnerable to attack," said Hugh Njemanze, CEO of Anomali.