EclecticIQ

Our Ecosystem

An ecosystem supporting our customers' intelligence-led proactive cybersecurity needs with collaborative partner programs delivering world-class joint solutions. 

Partner Program

Partner with EclecticIQ to bring valuable and innovative security solutions and services to end users. Open to all partner types, including technology developers, service providers, resellers, and community.

Our Partnerships

We partner with the world's premier technology and solution providers to support all phases of your cybersecurity needs. Explore all our partners' solutions and offerings to build and extend your cyber defense ecosystem.

EclecticIQ Resources

We are committed to increasing the knowledge and capabilities of the cybersecurity community through our research & analysis efforts and open source projects.

Browse Resources

Learn more about our technology, solutions and services, and stay updated on the cyber threat landscape with our research reports, webinars and other information.

Open Source Projects

We are proud to be an active member in the open source community and to help develop and advance progress of security technology. Learn more about contributions or go directly to our GitHub page.

Our Ecosystem

An ecosystem supporting our customers' intelligence-led proactive cybersecurity needs with collaborative partner programs delivering world-class joint solutions. 

Partner Program

Partner with EclecticIQ to bring valuable and innovative security solutions and services to end users. Open to all partner types, including technology developers, service providers, resellers, and community.

Our Partnerships

We partner with the world's premier technology and solution providers to support all phases of your cybersecurity needs. Explore all our partners' solutions and offerings to build and extend your cyber defense ecosystem.

EclecticIQ Resources

We are committed to increasing the knowledge and capabilities of the cybersecurity community through our research & analysis efforts and open source projects.

Browse Resources

Learn more about our technology, solutions and services, and stay updated on the cyber threat landscape with our research reports, webinars and other information.

Open Source Projects

We are proud to be an active member in the open source community and to help develop and advance progress of security technology. Learn more about contributions or go directly to our GitHub page.

Our Ecosystem

An ecosystem supporting our customers' intelligence-led proactive cybersecurity needs with collaborative partner programs delivering world-class joint solutions. 

Partner Program

Partner with EclecticIQ to bring valuable and innovative security solutions and services to end users. Open to all partner types, including technology developers, service providers, resellers, and community.

Our Partnerships

We partner with the world's premier technology and solution providers to support all phases of your cybersecurity needs. Explore all our partners' solutions and offerings to build and extend your cyber defense ecosystem.

EclecticIQ Resources

We are committed to increasing the knowledge and capabilities of the cybersecurity community through our research & analysis efforts and open source projects.

Browse Resources

Learn more about our technology, solutions and services, and stay updated on the cyber threat landscape with our research reports, webinars and other information.

Open Source Projects

We are proud to be an active member in the open source community and to help develop and advance progress of security technology. Learn more about contributions or go directly to our GitHub page.

Our Ecosystem

An ecosystem supporting our customers' intelligence-led proactive cybersecurity needs with collaborative partner programs delivering world-class joint solutions. 

Partner Program

Partner with EclecticIQ to bring valuable and innovative security solutions and services to end users. Open to all partner types, including technology developers, service providers, resellers, and community.

Our Partnerships

We partner with the world's premier technology and solution providers to support all phases of your cybersecurity needs. Explore all our partners' solutions and offerings to build and extend your cyber defense ecosystem.

EclecticIQ Resources

We are committed to increasing the knowledge and capabilities of the cybersecurity community through our research & analysis efforts and open source projects.

Browse Resources

Learn more about our technology, solutions and services, and stay updated on the cyber threat landscape with our research reports, webinars and other information.

Open Source Projects

We are proud to be an active member in the open source community and to help develop and advance progress of security technology. Learn more about contributions or go directly to our GitHub page.

Ukraine Alerts Energy Enterprises to Possible Cyberattack Escalation

EclecticIQ Threat Research Team September 29, 2022

ukraine-infrastructure

Cyberattack Warning: The Latest Development as Tensions Between Russia and Ukraine Continue Escalating

A statement from the Ukrainian government issued earlier this week warns energy enterprises inside of Ukraine and those of allies worldwide to increase alert for potential cyberattacks related to current Russia-Ukraine war dynamics. (1) The release also cites possible “DDoS attacks” on Ukraine’s allies, Poland, and unnamed Baltic nations. Further specifics are not mentioned.

This announcement arrives during a time of changing escalation in the Russia-Ukraine war. On Monday, September 26, at least two explosions large enough to be detected by seismometers in Sweden damaged four undersea sections of the Nord Stream pipelines, which are designed to deliver natural gas from Russia to northern Europe. (2, 3, 4) Western governments believe the leaks were caused by deliberate actions to sabotage energy operations. (5) Attribution has not been publicized.

These explosions further exacerbate a tense geopolitical situation. In the last week, Russia announced its largest conscription since the second world war. (6) In addition, Moscow is preparing to annex portions of Ukraine after a referendum held last week which Kyiv and the West say was a sham intended to legitimize Russian occupation of Ukrainian territory. (7) The Nord Stream 1 gas line was shut down by Russia in September. (8) Germany seized further energy assets tied to Russia (9) and Ukraine recaptured some territory. (10)

Recent Cyberattacks on Energy Infrastructure Vary in Severity, but Demonstrate the Vulnerability of Critical Infrastructure Networks Around the World

EclecticIQ analysts analyzed a few recent examples of attacks on critical infrastructure. Motivation is typically disruption or destruction. A broad range of actors and targets exist in this threat landscape. Attacks on water utilities, city police departments, hospitals, and industrial infrastructure show how widespread the threat is. (11, 12, 13, 14) Below are a few examples to provide insight into what future related cyber threats to critical infrastructure of energy enterprises could look like.

Some cyberattacks are aimed at disruption and data theft. Blackcat, a cybercriminal ransomware group, hit Italy’s GSE energy agency last summer, stealing 700 gigabits of data (15). Italian oil company Eni SpA was also the victim of a minor ransomware cyberattack around the same time. (16) The data stolen could be sold and used by other parties for further cyberattacks.

DDoS attacks, mentioned in the alert, are another threat to disruption for energy enterprises and more. Killnet, a pro-Russian hacktivist group, was almost certainly responsible for DDoS attacks on Japanese businesses and public institutions in early September (18), against entities of the Estonian government in August, (19) and against Lithuanian government networks in June (20).

Other attacks, such as those targeting Ukraine, could be more closely linked to broader geopolitical goals. DTEK Group, which owns different power plants in Ukraine, said the goal of one cyberattack back in July was to “destabilize the technological processes of its distribution and generation firms, spread propaganda about the company’s operations, and to leave Ukrainian consumers without electricity”. (17) Technical details into the cyberattack are not publicly available.

Post Exploitation Analysis of Malware and Past Attacks Against Ukraine and Elsewhere

In its warning, the Ukrainian government noted the country’s infrastructure was previously attacked in 2015 and 2016. In those cases, BlackEnergy and GreyEnergy malware relied on phishing to install a Remote Access Trojan on a third-party system, where access and privileges could then be escalated by stealing further credentials. In both malware families, the malware’s main function is to allow further specialized malicious plugins to be uploaded. (21) Some variants used signed certificates to evade internal alarms. Industroyer 2 was also highly configurable like BlackEnergy and GreyEnergy, but was only designed to implement a single protocol, IEC 60870-5-104, implying that it was only capable of targeting very specific devices used in industrial control systems.(22)

Other Related Malware is Designed to be Highly Targeted for Specific Systems

Triton, CaddyWiper and Industroyer 1 malware were all tailored to particular technologies and specific industrial control system protocols to cause physical consequences. (23, 24) All families had file deletion capabilities and variants of Industroyer and CaddyWiper contained wiper-like modules. (25, 26) Neither malware contained persistence TTPs, so further malware modules were used to provide backdoor access. EclecticIQ analysts observed many wiper variants reported targeting Ukraine in 2022. They are likely to remain a prominent threat.

Critical Infrastructure Network Cyberattack Defense Recommendations

Based on recent and historical intelligence EclecticIQ analysts recommend focusing on the following areas to counter cyberattack patterns.

  • Increase attention to email. Threat actors are most likely to use phishing for delivery of an initial payload using attachments, malicious HTML or JavaScript. (21)
  • Increase user account logging and monitoring. Alert to logins from unknown IP addresses. Password stealers may also allow initial network compromise through valid account credentials. (22, 23)
  • Scan for and review any systems considered part of the Internet of Things (IoT). Increasing rates of vulnerabilities being disclosed in these devices may provide pivot point for threat actors into more secure network systems. (24)
  • Increase awareness of ancillary systems that may be attached to the network. 42% of cyberattacks targeting operational technology early in 2022 related to building automation infrastructure of critical infrastructure enterprises as an initial point of compromise. (27, 30)
  • Review network traffic at a regular cadence. Almost all related cyberattacks reviewed involved moderate to extensive reconnaissance in the form of fingerprinting and scanning. Internal network defenses should be tuned to alert to similar activity.(28, 29)

About EclecticIQ Intelligence & Research Team

EclecticIQ is a global provider of threat intelligence, hunting, and response technology and services. Headquartered in Amsterdam, the EclecticIQ Intelligence & Research Team is made up of experts from Europe and the U.S. with decades of experience in cyber security and intelligence in industry and government.

We would love to hear from you. Please send us your feedback by emailing us at research@eclecticiq.com or fill in the EclecticIQ Audience Interest Survey to drive our research towards your priority area.

Structured Data

Find the Analyst Prompt and earlier editions in our public TAXII collection for easy use in your security stack.

TAXII v1 Discovery services: https://cti.eclecticiq.com/taxii/discovery

Please refer to our support page for guidance on how to access the feeds.

You might also be interested in:

Network Environment-Focused Conversations Needed in Approaches to Cyber Security

Emotet Downloader Document Uses Regsvr32 for Execution

AI Facial Recognition Used in Ukraine/Russia War Prone to Vulnerabilities

Appendix

  1. https://gur.gov.ua/content/okupanty-hotuiut-masovani-kiberataky-na-ob-iekty-krytychnoi-infrastruktury-ukrainy-ta-ii-soiuznykiv.html
  2. https://www.npr.org/2022/09/27/1125401980/nord-stream-leaks-explosions-russia-natural-gas-sabotage
  3. https://www.svt.se/nyheter/inrikes/svt-avslojar-tva-explosioner-intill-nord-stream
  4. https://www.theguardian.com/business/2022/sep/27/nord-stream-1-2-pipelines-leak-baltic-sabotage-fears
  5. https://www.aljazeera.com/news/2022/9/27/sweden-issues-warning-of-two-gas-leaks-on-nord-stream-1-pipeline
  6. https://www.theguardian.com/world/2022/sep/27/we-want-to-run-russian-men-fleeing-conscription
  7. https://www.reuters.com/world/ukraine-annexation-votes-end-amid-russian-mobilisation-exodus-2022-09-26/https://www.reuters.com/world/ukraine-annexation-votes-end-amid-russian-mobilisation-exodus-2022-09-26/?utm_source=Sailthru&utm_medium=newsletter&utm_campaign=daily-briefing&utm_term=09-28-2022
  8. https://www.theguardian.com/business/2022/sep/02/nord-stream-1-gazprom-announces-indefinite-shutdown-of-pipeline
  9. https://www.economist.com/business/2022/09/22/germanys-government-seizes-russian-energy-assets 
  10. https://apnews.com/article/russia-ukraine-kyiv-kharkiv-a691ab16016aab01cedb68ea5e247b37/
  11. https://www.industrialdefender.com/blog/florida-water-treatment-plant-cyber-attack
  12. https://www.nytimes.com/2021/04/27/us/dc-police-hack.html
  13. https://krebsonsecurity.com/2021/12/inside-irelands-public-healthcare-ransomware-scare
  14. https://www.bloomberg.com/news/articles/2021-06-04/hackers-breached-colonial-pipeline-using-compromised-password
  15. https://www.bloomberg.com/news/articles/2022-09-02/suspected-russian-ransomware-group-hacks-italian-energy-agency
  16. https://www.bloomberg.com/news/articles/2022-08-31/hackers-hit-italian-oil-giant-eni-s-internal-computer-network
  17. https://edition.cnn.com/2022/07/01/politics/russia-ukraine-dtek-hack/index.html
  18. https://www.theguardian.com/world/2022/aug/16/estonia-removes-soviet-era-tank-monument-amid-russia-tensions-narva
  19. https://lrv.lt/en/news/intense-ddos-attacks-targeted-several-companies-and-institutions-in-lithuania
  20. https://www.boozallen.com/content/dam/boozallen/documents/2016/09/ukraine-report-when-the-lights-went-out.pdf
  21. https://www.welivesecurity.com/2022/04/12/industroyer2-industroyer-reloaded/
  22. https://www.mandiant.com/resources/blog/attackers-deploy-new-ics-attack-framework-triton
  23. https://www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf
  24. https://ics-cert.us-cert.gov/alerts/ICS-ALERT-17-206-01/
  25. https://www.welivesecurity.com/2022/04/12/industroyer2-industroyer-reloaded
  26. https://ics-cert.kaspersky.com/publications/reports/2022/09/08/threat-landscape-for-industrial-automation-systems-statistics-for-h1-2022/
  27. https://thecyberexpress.com/erbium-password-stealing-malware-emerges
  28. https://thecyberexpress.com/emotet-botnet-now-deploys-quantum-and-blackcat-ransomware
  29. https://claroty.com/resources/reports/2h-2021#download-modal

Receive all our latest updates

Subscribe to receive the latest EclecticIQ news, event invites, and Threat Intelligence blog posts.

Explore all topics

© 2014 – 2024 EclecticIQ B.V.
EclecticIQ. Intelligence, Automation, Collaboration.
Get demo