The Department of Justice has opened up some indictments against some Russian nationals who have been accused of being the brain behind the on-going hacks that have targeted critical U.S infrastructure and the entire world. The persons accused include: Pavel Aleksandrovich Akulov, Mikhail Mikhailovich Gavrilov, and Marat Valeryevich Tyukov, they were said to be part of a Russian intelligence special unit which has been described with different names by those in the security field as “Dragonfly” “Berserk Bear” “Energetic Bear” and lastly “ Crouching Yeti”. This particular unit is regarded as the entity that took over the defunct KGB, they are part of something called Center 16 which is a part of the Russian Federal Security Service, popularly called the FSB.
The operation was said to have taken place in two separate stages; in the first phase, the accused persons sent a custom made malware implant which is known in the cybersecurity space as “Havex”, this malware infected a tremendous number companies working the energy sector on a global scale, when this was done, the second phase began which comprised of companies in the same energy sector, as well as personnel and engineers who worked around the Industrial Control System and the Supervisory Control and Data acquisition. When combined, the effect of the hack could birth a serious and less positive effect on the energy sector all over the world.
The two phases took a long period of time, the first phase was carried out between at least 2012 and 2014 which caused the download of the malware known as Havex onto a lot of devices in the United States, numbering in their tens of thousand. An FBI investigator who was part of the investigating team found out that they made use of multiple technologies to float this malware and get it downloaded across the United States, at the same time, they used a well detailed research and particular techniques to reach certain desired organisations and individuals.
One of the major and critical methods used by these Russians with the Havex Malware, included the conspiracy’s compromise involving an organisation that produces the equipment as well as the software used by the Industrial Control System and the Supervisory Control and Data acquisition systems. These are the security and safety mechanisms that have been put in place generally for the energy production facilities and within other operational environments as well. And as would be expected they are closed systems for the purpose of safety. However, since the accused have gained access to the network of one of the organisations that provided a component of these systems, they succeeded in placing their malware within the updates provided by the company for their software. This technique is known as Supply chain attack.
Despite the deployment method of the malware, an analyst opined that the malware could be used for numerous other purposes including gathering credentials and searching for interfaces between humans and machines, which simply means the way a human would interface with a system to give it an instruction on what to do. Something like in a situation where the interface is connected to a network, a third party can remotely send instructions on a critical network, this shows the dangerous nature of the malware. In 2014, the malware was exposed and the group stopped making use of it and began to find other means.
The next phase of the attack was aimed against energy sector companies as well, one of which was an intrusion in a power plant in Kansas in 2017. This business network was really not connected to any of the ICS/SCADA services, during the investigation, the authorities said they couldn’t find any evidence that suggests that the suspects were able to lay hold on any data that had intelligence value, rather the evidence suggests that the main goal of the hack was to gain access and maintain the access rather than retrieve information which could have given them the access to damage the energy grid or any other important operations in the United States.
The intrusion in Kansas in 2017 was only a part of a larger attack, investigators revealed that upon closer look at the findings being revealed, it was discovered that this was not just a singular attack, it had a larger vision which was the global energy sector, it is believed that 3,300 persons were targeted through a long, thorough and painstaking process of Spear Phishing campaign. In this stage of the hack, it is alleged that the group was also instrumental in breaching the network of a U.S Construction company, which gave the group the ability to send mails looking legitimate that contained the CV of an individual that had certain skill set that were industry specific, this document contained a malware which was downloaded along with the document.
They were also able to gain unauthorised access to myriads of websites including those that contained industry publications which were read by engineers in the energy sector. These sites became a means of contacting and accessing the malware for visitors who frequented the site. IT was in 2017 that the investigators began to link and trace the efforts of the group to the time they began to make use of the Havex malware which evidenced the determination of the Russian government to gain access to critical infrastructure in the United States. The group have continued to evolve and as they evolve, they are able to gain entrance to these systems without any detection which makes them even more complicated, because it becomes a more clandestine way to maintain long term access which would be useful in the future whenever they needed it. This underscores the importance of the actions of law enforcement which by bring their names out and their faces, their travel prospects are limited, their benefit to the intelligence community is also reduced, as well as their ability to obtain a job with a private firm, these actions may serve as deterrent in one form or the other to other Russians who have high cyber skill to follow a more respectable career path rather than take on activities that would drastically limit their future employment opportunities.
This action would also help put some more pressure on nation-states and the cyber criminal activities they aid, especially as this act of sabotaging the energy sector globally is evident of the desire of the Russians to carry out acts that are primarily disruptive and destabilising more so even when there is peace. This situation also acts as a reminder to every organisation that the issue of cyber security is not something that can be toyed with, it should be given the topmost priority and this applied even to those who do not handle sensitive or classified information because either ways, they may provide an entry point to higher, and more critical targets. This places cyber security at the heart of the security of any nation.