Ukraine Alerts Energy Enterprises to Possible Cyberattack Escalation

Cyberattack Warning: The Latest Development as Tensions Between Russia and Ukraine Continue Escalating

A statement from the Ukrainian government issued earlier this week warns energy enterprises inside of Ukraine and those of allies worldwide to increase alert for potential cyberattacks related to current Russia-Ukraine war dynamics. (1) The release also cites possible “DDoS attacks” on Ukraine’s allies, Poland, and unnamed Baltic nations. Further specifics are not mentioned.

This announcement arrives during a time of changing escalation in the Russia-Ukraine war. On Monday, September 26, at least two explosions large enough to be detected by seismometers in Sweden damaged four undersea sections of the Nord Stream pipelines, which are designed to deliver natural gas from Russia to northern Europe. (2, 3, 4) Western governments believe the leaks were caused by deliberate actions to sabotage energy operations. (5) Attribution has not been publicized.

These explosions further exacerbate a tense geopolitical situation. In the last week, Russia announced its largest conscription since the second world war. (6) In addition, Moscow is preparing to annex portions of Ukraine after a referendum held last week which Kyiv and the West say was a sham intended to legitimize Russian occupation of Ukrainian territory. (7) The Nord Stream 1 gas line was shut down by Russia in September. (8) Germany seized further energy assets tied to Russia (9) and Ukraine recaptured some territory. (10)

Recent Cyberattacks on Energy Infrastructure Vary in Severity, but Demonstrate the Vulnerability of Critical Infrastructure Networks Around the World

EclecticIQ analysts analyzed a few recent examples of attacks on critical infrastructure. Motivation is typically disruption or destruction. A broad range of actors and targets exist in this threat landscape. Attacks on water utilities, city police departments, hospitals, and industrial infrastructure show how widespread the threat is. (11, 12, 13, 14) Below are a few examples to provide insight into what future related cyber threats to critical infrastructure of energy enterprises could look like.

Some cyberattacks are aimed at disruption and data theft. Blackcat, a cybercriminal ransomware group, hit Italy’s GSE energy agency last summer, stealing 700 gigabits of data (15). Italian oil company Eni SpA was also the victim of a minor ransomware cyberattack around the same time. (16) The data stolen could be sold and used by other parties for further cyberattacks.

DDoS attacks, mentioned in the alert, are another threat to disruption for energy enterprises and more. Killnet, a pro-Russian hacktivist group, was almost certainly responsible for DDoS attacks on Japanese businesses and public institutions in early September (18), against entities of the Estonian government in August, (19) and against Lithuanian government networks in June (20).

Other attacks, such as those targeting Ukraine, could be more closely linked to broader geopolitical goals. DTEK Group, which owns different power plants in Ukraine, said the goal of one cyberattack back in July was to “destabilize the technological processes of its distribution and generation firms, spread propaganda about the company’s operations, and to leave Ukrainian consumers without electricity”. (17) Technical details into the cyberattack are not publicly available.

Post Exploitation Analysis of Malware and Past Attacks Against Ukraine and Elsewhere

In its warning, the Ukrainian government noted the country’s infrastructure was previously attacked in 2015 and 2016. In those cases, BlackEnergy and GreyEnergy malware relied on phishing to install a Remote Access Trojan on a third-party system, where access and privileges could then be escalated by stealing further credentials. In both malware families, the malware’s main function is to allow further specialized malicious plugins to be uploaded. (21) Some variants used signed certificates to evade internal alarms. Industroyer 2 was also highly configurable like BlackEnergy and GreyEnergy, but was only designed to implement a single protocol, IEC 60870-5-104, implying that it was only capable of targeting very specific devices used in industrial control systems.(22)

Other Related Malware is Designed to be Highly Targeted for Specific Systems

Triton, CaddyWiper and Industroyer 1 malware were all tailored to particular technologies and specific industrial control system protocols to cause physical consequences. (23, 24) All families had file deletion capabilities and variants of Industroyer and CaddyWiper contained wiper-like modules. (25, 26) Neither malware contained persistence TTPs, so further malware modules were used to provide backdoor access. EclecticIQ analysts observed many wiper variants reported targeting Ukraine in 2022. They are likely to remain a prominent threat.

Critical Infrastructure Network Cyberattack Defense Recommendations

Based on recent and historical intelligence EclecticIQ analysts recommend focusing on the following areas to counter cyberattack patterns.

• Increase attention to email. Threat actors are most likely to use phishing for delivery of an initial payload using attachments, malicious HTML or JavaScript. (21)
• Increase user account logging and monitoring. Alert to logins from unknown IP addresses. Password stealers may also allow initial network compromise through valid account credentials. (22, 23)
• Scan for and review any systems considered part of the Internet of Things (IoT). Increasing rates of vulnerabilities being disclosed in these devices may provide pivot point for threat actors into more secure network systems. (24)
• Increase awareness of ancillary systems that may be attached to the network. 42% of cyberattacks targeting operational technology early in 2022 related to building automation infrastructure of critical infrastructure enterprises as an initial point of compromise. (27, 30)
• Review network traffic at a regular cadence. Almost all related cyberattacks reviewed involved moderate to extensive reconnaissance in the form of fingerprinting and scanning. Internal network defenses should be tuned to alert to similar activity.(28, 29)

About EclecticIQ Intelligence & Research Team

EclecticIQ is a global provider of threat intelligence, hunting, and response technology and services. Headquartered in Amsterdam, the EclecticIQ Intelligence & Research Team is made up of experts from Europe and the U.S. with decades of experience in cyber security and intelligence in industry and government.

We would love to hear from you. Please send us your feedback by emailing us at research@eclecticiq.com or fill in the EclecticIQ Audience Interest Survey to drive our research towards your priority area.

Structured Data

Find the Analyst Prompt and earlier editions in our public TAXII collection for easy use in your security stack.

TAXII v1 Discovery services: https://cti.eclecticiq.com/taxii/discovery

Please refer to our support page for guidance on how to access the feeds.

You might also be interested in:

Network Environment-Focused Conversations Needed in Approaches to Cyber Security

Emotet Downloader Document Uses Regsvr32 for Execution

AI Facial Recognition Used in Ukraine/Russia War Prone to Vulnerabilities

Appendix

1. https://gur.gov.ua/content/okupanty-hotuiut-masovani-kiberataky-na-ob-iekty-krytychnoi-infrastruktury-ukrainy-ta-ii-soiuznykiv.html
2. https://www.npr.org/2022/09/27/1125401980/nord-stream-leaks-explosions-russia-natural-gas-sabotage
3. https://www.svt.se/nyheter/inrikes/svt-avslojar-tva-explosioner-intill-nord-stream
4. https://www.theguardian.com/business/2022/sep/27/nord-stream-1-2-pipelines-leak-baltic-sabotage-fears
5. https://www.aljazeera.com/news/2022/9/27/sweden-issues-warning-of-two-gas-leaks-on-nord-stream-1-pipeline
6. https://www.theguardian.com/world/2022/sep/27/we-want-to-run-russian-men-fleeing-conscription
7. https://www.reuters.com/world/ukraine-annexation-votes-end-amid-russian-mobilisation-exodus-2022-09-26/https://www.reuters.com/world/ukraine-annexation-votes-end-amid-russian-mobilisation-exodus-2022-09-26/?utm_source=Sailthru&utm_medium=newsletter&utm_campaign=daily-briefing&utm_term=09-28-2022
8. https://www.theguardian.com/business/2022/sep/02/nord-stream-1-gazprom-announces-indefinite-shutdown-of-pipeline
9. https://www.economist.com/business/2022/09/22/germanys-government-seizes-russian-energy-assets 
10. https://apnews.com/article/russia-ukraine-kyiv-kharkiv-a691ab16016aab01cedb68ea5e247b37/
11. https://www.industrialdefender.com/blog/florida-water-treatment-plant-cyber-attack
12. https://www.nytimes.com/2021/04/27/us/dc-police-hack.html
13. https://krebsonsecurity.com/2021/12/inside-irelands-public-healthcare-ransomware-scare
14. https://www.bloomberg.com/news/articles/2021-06-04/hackers-breached-colonial-pipeline-using-compromised-password
15. https://www.bloomberg.com/news/articles/2022-09-02/suspected-russian-ransomware-group-hacks-italian-energy-agency
16. https://www.bloomberg.com/news/articles/2022-08-31/hackers-hit-italian-oil-giant-eni-s-internal-computer-network
17. https://edition.cnn.com/2022/07/01/politics/russia-ukraine-dtek-hack/index.html
18. https://www.theguardian.com/world/2022/aug/16/estonia-removes-soviet-era-tank-monument-amid-russia-tensions-narva
19. https://lrv.lt/en/news/intense-ddos-attacks-targeted-several-companies-and-institutions-in-lithuania
20. https://www.boozallen.com/content/dam/boozallen/documents/2016/09/ukraine-report-when-the-lights-went-out.pdf
21. https://www.welivesecurity.com/2022/04/12/industroyer2-industroyer-reloaded/
22. https://www.mandiant.com/resources/blog/attackers-deploy-new-ics-attack-framework-triton
23. https://www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf
24. https://ics-cert.us-cert.gov/alerts/ICS-ALERT-17-206-01/
25. https://www.welivesecurity.com/2022/04/12/industroyer2-industroyer-reloaded
26. https://ics-cert.kaspersky.com/publications/reports/2022/09/08/threat-landscape-for-industrial-automation-systems-statistics-for-h1-2022/
27. https://thecyberexpress.com/erbium-password-stealing-malware-emerges
28. https://thecyberexpress.com/emotet-botnet-now-deploys-quantum-and-blackcat-ransomware
29. https://claroty.com/resources/reports/2h-2021#download-modal