The PolySwarm Blog

Analyze suspicious files and URLs, at scale, millions of times per day. Get real-time threat intel from a crowdsourced network of security experts and antivirus companies competing to protect you.

2023 Recap - Cyber Threats to the Energy Vertical

Jan 2, 2024 11:43:43 AM / by The Hivemind

Cyber Threats

Executive Summary

Cyber threats pose a significant risk to the energy vertical, which encompasses various sectors such as oil, gas, electricity, renewable energy, utilities, and related critical infrastructure entities. PolySwarm has been tracking cyber activity targeting the energy vertical in 2023. In this report, we provide highlights of this year’s threat actors and cyber attacks known to target the energy sector.

Key Takeaways

  • Cyber threats pose a significant risk to the energy vertical, which encompasses various sectors such as oil, gas, electricity, renewable energy, utilities, and related critical infrastructure entities.
  • In this report, we provide highlights of this year’s threat actors and cyber attacks known to target the energy sector. 
  • State-sponsored and espionage-focused threat actors targeting the energy vertical included YoroTrooper, VooDoo Bear, Bitter APT, Charming Kitten, Volt Typhoon, Earth Yako, and RedStinger, 
  • Cybercrime and ransomware entities targeting the energy vertical included Cl0p, BlackBasta, ALPHV, LockBit, Prophet Spider, Rhysida, and Cuba Ransomware.

State-Sponsored and Espionage Activity 

The energy sector has always been a target for state-sponsored threat actors and espionage activity. Ever since the Stuxnet and Night Dragon attacks that targeted energy sector entities as early as 2005 and 2006, the vertical has remained a target for sabotage and espionage.

 

YoroTrooper

YoroTrooper was observed targeting the energy sector and government entities earlier this year. The group has been active since at least mid-2022. YoroTrooper uses phishing emails with an archive attachment as an initial attack vector. Industry researchers have recently linked YoroTrooper’s activity to Kazakhstan.

 

VooDoo Bear

In May, the Russia nexus threat actor group VooDoo Bear targeted Danish critical infrastructure. At least 22 key energy sector companies were targeted in the attacks. The threat actors used a combination of 0day exploits, spearphishing, and social engineering to obtain access to the networks. The threat actors may have also used a supply chain attack to target these entities. One of the vulnerabilities leveraged in the attack was CVE-2023-28771, a critical vulnerability in Zyxel products.

 

Bitter APT

Earlier this year, Bitter APT was observed targeting nuclear energy entities in China. Bitter APT is a threat actor group thought to operate out of South Asia. The group primarily engages in espionage campaigns. The threat actors engaged targets with a phishing campaign, with lures pretending to be from the Embassy of Kyrgyzstan in Beijing. In the campaign, the threat actors used multiple malicious payloads, which were compressed into RAR files. The payloads were intended to maintain persistence in the victim network and download additional malware payloads.

 

Charming Kitten

Charming Kitten, also known as Phosphorus, APT35, Mint Sandstorm, Ajax Security, and NewsBeef, is an Iran nexus threat actor group active since at least 2014. The group is thought to operate on behalf of the Iranian government, with ties to the Iranian Revolutionary Guard Corps. Earlier this year, they were observed targeting US critical infrastructure, leveraging CVE-20922-47966 and CVE-2022-47986 shortly after the POCs were made publicly available. After obtaining access to a victim network, the threat actors deployed a custom PowerShell script to use in the discovery process. If the victim did not meet targeting requirements or was not deemed of high enough value, the threat actors seemed to halt further action.

 

Volt Typhoon

Volt Typhoon, also known as Bronze Silhouette, is an espionage-focused China nexus state-sponsored threat actor group. The group has been active since at least 2021. Earlier this year, Volt Typhoon was observed targeting US critical infrastructure entities. The targets were located in the mainland US as well as Guam. CISA issued an alert related to this activity.

 

Earth Yako

Earlier this year, Earth Yako reportedly targeted researchers at academic institutions and think tanks in Japan. While the group did not directly target the energy sector, based on their targeting, it appears their areas of interest revolve around economic security as well as the energy sector. The threat actors used spearphishing for initial access and leveraged multiple tools in the campaign, including MirrorKey, TransBox, PlugBox, Dulload, PULink, and ShellBox.

 

RedStinger

RedStinger, also known as Bad Magic, is a relatively unknown threat actor group that targets entities in Ukraine. They have been active since at least 2020. The group seems to conduct espionage campaigns. They were observed in ongoing campaigns targeting multiple entities in Ukraine, including those in the defense, transportation, and critical infrastructure verticals.

 

Cybercrime and Ransomware

In 2023, industry researchers reported on the rise of ransomware attacks targeting energy sector entities, including those in the nuclear and oil & gas subsectors. These ransomware attacks have impacted energy sector entities in North America, Asia, and the EU. This follows the trend of ransomware operators such as ALPHV, Medusa, and LockBit chasing increasingly higher ransoms from higher-profile targets.

 

Cl0p

Cl0p, the notorious ransomware group, targeted several energy sector entities in 2023 using the MOVEit vulnerability. Shell, Siemens Energy, and Schneider Electric, as well as two US Department of Energy entities, were targeted using the MOVEit 0day.

 

BlackBasta

Black Basta ransomware was first identified in April 2022. Based on compile dates, the ransomware may have been active as early as February 2022. Earlier this month, Navitas Petroleum was reportedly the victim of a BlackBasta ransomware attack.

 

ALPHV

ALPHV is a financially motivated threat actor group known for ransomware operations. Industry researchers have speculated the group’s members are likely based in the UK or Europe. The group is known for multiple ransomware variants with similar code, including ALPHV, BlackCat, Sphynx, and Noberus. In 2023, they reportedly hacked multiple energy vertical entities including Mammoth Energy, Creos Luxembourg, and Encino Energy.

 

LockBit

Lockbit is RaaS. LockBit was of the most prolific ransomware groups of 2022 and has been active since at least 2019. The threat actors behind LockBit often use a double extortion model, threatening to leak stolen files if the ransom is not paid within the specified time. In 2023, LockBit hacked multiple energy sector entities including Gran Tierra Energy and Montreal’s CSEM.

 

SpyNote

In July, industry researchers reported on a campaign leveraging SpyNote to target utility company customers in Japan. SpyNote is a remotely controlled Android spyware. The utility-focused campaign leveraged SMS message alerts masquerading as official alerts from a power or water infrastructure company. SpyNotes’s capabilities include stealing device and user information, such as contacts, SMS messages, 2FA, phone calls, social media account information, and location data.

 

Prophet Spider

Prophet Spider, also known as Golden Melody and UNC961, is a financially motivated threat actor that was outed as an initial access broker. Initial access brokers sell access to compromised networks to allow other threat actors to conduct follow on attacks. Prophet Spider has been active since at least 2017 and is known to exploit vulnerabilities in unpatched internet-facing servers. Prophet Spider’s targeting has included entities in the retail, healthcare, energy, financial, and technology verticals in North America, Europe, and Western Asia. 

 

Rhysida

Rhysida ransomware has been active since at least May 2023 and is RaaS. The Rhysida ransom note uses a unique approach. Rather than directly demanding a ransom payment, the note appears to be an alert from the Rhysida “cybersecurity team” warning victims that their system has been compromised and their files are encrypted. As a solution, the victim must pay for a “unique key” to use to decrypt the files. In November, they claimed to have hacked the Chinese state-owned energy company China Energy Engineering.

 

DroxiDat

In August, an African energy sector entity was targeted using DroxiDat, a variant of SystemBC. DroxiDat is more compact than previous SystemBC variants. Much of the functionality has been stripped, making DroxiDat more of a system profiler. The threat actors were also using Cobalt Strike beacons in conjunction with DroxiDat, indicating a high likelihood of planned follow on attacks. 

 

Cuba Ransomware

Cuba ransomware, also known as COLDDRAW or Fidel, has been active in the wild since at least 2019. Cuba ransomware has not been definitively attributed to a particular threat actor, but industry researchers have noted the high likelihood of it being perpetrated by threat actors who speak Russian, due to Russian language strings in the code. As of late 2022, Cuba had already claimed over 100 victims. The group has continued to be active throughout 2023. In June, they were observed using the Veeam vulnerability (CVE-2023-27532) to target critical infrastructure and IT entities in the US and Latin America.

 

The Curious Case of CosmicEnergy

CosmicEnergy is a novel malware targeting operational technology (OT) and ICS. CosmicEnergy appears to be of Russian origin but may be a product of a simulated power disruption exercise and not related to a threat actor. Industry researchers said the sample could be associated with Rostelecom-Solar, a Russian cyber security company.

In other words, CosmicEnergy may be built as a redteaming simulation tool rather than a malicious tool for disruption. Regardless of its origin and purpose, CosmicEnergy was clearly intended to be a specialized OT malware and is reminiscent of Industroyer and Industroyer 2.

CosmicEnergy is capable of disrupting power by interacting with IEC 60870-5-104 (IEC-104) devices, such as remote terminal units (RTUs). These units are often used for energy transmission and distribution in Europe, Asia, and the Middle East.

CosmicEnergy consists of two components, Piehop and Lightwork. Piehop is a disruption tool written in Python and packaged with PyInstaller. It can connect to a user-supplied remote SQL server to upload files and issue remote commands to an RTU. Lightwork is a disruption tool written in C++. It uses the IEC-104 protocol to modify the state of RTUs over TCP.  Piehop uses Lightwork to issue the IEC-104 commands.

Although CosmicEnergy may be a redteam tool used by a Russian security organization, it could potentially be used by threat actors to target energy sector and critical infrastructure entities. Reporting on CosmicEnergy highlights security threats to OT environments, which are insecure by design. Entities leveraging these systems must be diligent in protecting against similar threats.

 

Don’t have a PolySwarm account? Go here to sign up for a free Community plan or to subscribe.

Contact us at hivemind@polyswarm.io | Check out our blog | Subscribe to our reports.

 

Topics: Threat Bulletin, Europe, LockBit, ALPHV, Charming Kitten, 2023, Cl0p, YoroTrooper, Energy, Bitter APT, Volt Typhoon, SpyNote, Rhysida, DroxiDat, VooDoo Bear, RedStinger, 2023 Recap, BlackBasta, Earth Yako, Prophet Spider, Cuba Ransomware

The Hivemind

Written by The Hivemind

Subscribe to Email Updates

Lists by Topic

see all

Posts by Topic

See all

Recent Posts

Join the Marketplace

For Enterprises and Businesses

Learn More

For Security Experts and AV Companies

Learn More