Kremlin-backed hackers targeted 'major' oil refinery in NATO country
Kremlin-backed hackers targeted 'major' oil refinery in NATO country
Enlarge / Fawley Oil Refinery on a beautiful day.
Getty Images
One of the most active Kremlin hacking groups targeting Ukraine recently tried to hack into a major oil refining company located in a NATO country. The attack is a sign that the group is expanding its intelligence gathering as Russia's invasion of its neighboring country continues.
The hacking attempt took place on August 30 and failed, Palo Alto Networks Unit 42 researchers said Tuesday. The hacking group, tracked under various names including Trident Ursa, Gamaredon, UAC-0010, Primitive Bear, and Shuckworm, was assigned by the Ukrainian Security Service to the Russian Federal Security Service.
Target the energy sector
Over the past 10 months, Unit 42 has mapped over 500 new domains and 200 samples and other bread crumbs left behind by Trident Ursa in spear-phishing campaigns aimed at infecting targets with stealth malware. information. The group mainly uses decoy emails in Ukrainian. More recently, however, some samples show that the group has also started using English decoys.
"We believe these samples indicate that Trident Ursa is attempting to bolster its intelligence gathering and network access against Ukrainian and NATO allies," the company researchers wrote.
Among the filenames used in the unsuccessful attack were: MilitaryassistanceofUkraine.htm, Necessary_military_assistance.rar and List of requirements for the provision of military Humanitarian assistance to Ukraine.lnk.
Tuesday's report did not name the oil company targeted or the country where the facility was located. In recent months, Western-aligned officials have issued warnings that the Kremlin has set its sights on energy companies in countries opposed to Russia's war on Ukraine.
Last week, for example, the National Security Agency's director of cybersecurity, Rob Joyce, said he was concerned about major cyberattacks from Russia, particularly on the global energy sector. , according to CyberScoop.
"I wouldn't encourage anyone to be complacent or not care about threats to the energy sector globally," Joyce said, according to CyberScoop. “As the war [in Ukraine] progresses, there are certainly opportunities to increase the pressure on Russia at the tactical level, which will cause them to reassess, to try different strategies to get out of it. "
The NSA's Year in Review noted that Russia has unleashed at least seven separate erasing malware designed to permanently destroy data. One of these wipers destroyed thousands of satellite modems used by customers of the communications company Viasat. Among the damaged modems were tens of thousands of terminals outside Ukraine that support wind turbines and provide internet services to individuals.
Ten days ago, Norwegian Prime Minister Jonas Gahr Støre warned that Russia posed a "real and serious threat...to the oil and gas industry" in Western Europe as the country tried to break the will of the Ukrainian allies.
Trident Ursa's hacking techniques are simple yet effective. The group uses several means to hide IP addresses and other signatures of its infrastructure, phishing documents with low detection rates among anti-phishing services, and malicious HTML and Word documents.
The Unit 42 researchers wrote:
Trident Ursa remains an agile and adaptive APT that does not use overly sophisticated or complex techniques in its operations. In most cases, they rely on publicly available tools and scripts, as well as a significant amount of obfuscation, as well as routine phishing attempts to execute their operations successfully.
>
The operations of this group are regularly spotted by researchers and government organizations, yet they...
Enlarge / Fawley Oil Refinery on a beautiful day.
Getty Images
One of the most active Kremlin hacking groups targeting Ukraine recently tried to hack into a major oil refining company located in a NATO country. The attack is a sign that the group is expanding its intelligence gathering as Russia's invasion of its neighboring country continues.
The hacking attempt took place on August 30 and failed, Palo Alto Networks Unit 42 researchers said Tuesday. The hacking group, tracked under various names including Trident Ursa, Gamaredon, UAC-0010, Primitive Bear, and Shuckworm, was assigned by the Ukrainian Security Service to the Russian Federal Security Service.
Target the energy sector
Over the past 10 months, Unit 42 has mapped over 500 new domains and 200 samples and other bread crumbs left behind by Trident Ursa in spear-phishing campaigns aimed at infecting targets with stealth malware. information. The group mainly uses decoy emails in Ukrainian. More recently, however, some samples show that the group has also started using English decoys.
"We believe these samples indicate that Trident Ursa is attempting to bolster its intelligence gathering and network access against Ukrainian and NATO allies," the company researchers wrote.
Among the filenames used in the unsuccessful attack were: MilitaryassistanceofUkraine.htm, Necessary_military_assistance.rar and List of requirements for the provision of military Humanitarian assistance to Ukraine.lnk.
Tuesday's report did not name the oil company targeted or the country where the facility was located. In recent months, Western-aligned officials have issued warnings that the Kremlin has set its sights on energy companies in countries opposed to Russia's war on Ukraine.
Last week, for example, the National Security Agency's director of cybersecurity, Rob Joyce, said he was concerned about major cyberattacks from Russia, particularly on the global energy sector. , according to CyberScoop.
"I wouldn't encourage anyone to be complacent or not care about threats to the energy sector globally," Joyce said, according to CyberScoop. “As the war [in Ukraine] progresses, there are certainly opportunities to increase the pressure on Russia at the tactical level, which will cause them to reassess, to try different strategies to get out of it. "
The NSA's Year in Review noted that Russia has unleashed at least seven separate erasing malware designed to permanently destroy data. One of these wipers destroyed thousands of satellite modems used by customers of the communications company Viasat. Among the damaged modems were tens of thousands of terminals outside Ukraine that support wind turbines and provide internet services to individuals.
Ten days ago, Norwegian Prime Minister Jonas Gahr Støre warned that Russia posed a "real and serious threat...to the oil and gas industry" in Western Europe as the country tried to break the will of the Ukrainian allies.
Trident Ursa's hacking techniques are simple yet effective. The group uses several means to hide IP addresses and other signatures of its infrastructure, phishing documents with low detection rates among anti-phishing services, and malicious HTML and Word documents.
The Unit 42 researchers wrote:
Trident Ursa remains an agile and adaptive APT that does not use overly sophisticated or complex techniques in its operations. In most cases, they rely on publicly available tools and scripts, as well as a significant amount of obfuscation, as well as routine phishing attempts to execute their operations successfully.
>
The operations of this group are regularly spotted by researchers and government organizations, yet they...
Enlarge / Fawley Oil Refinery on a beautiful day.
Getty Images
