US Govt asks energy firms to check systems after attacks

The US government has asked critical infrastructure operators to review computer networks to see if they are infected with malicious software from the "Energetic Bear" hacking group, after three infustrial control system manufacturers were found to have been penetrated.

The Department of Homeland Security's Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) issued the request after researchers with F-Secure and Symantec reported Energetic Bear were likely behind a campaign to infect energy and industrial firms around the world with malicious software known as the Havex Trojan.

Symantec reported that the group had successfully infected three specialist manufacturers of industrial control systems, and spread malware to the systems of the manufacturers' clients through legitimate software updates sent to the users.

Hundreds of US and European energy companies had been affected over the last 18 months, according to Symantec.

ICS-CERT advised critical infrastructure operators to tighten security, and provided them a list of specific steps to better protect their systems. It also asked them to check to see if their systems had been infected.

"ICS-CERT strongly recommends that organisations check their network logs for activity associated with this campaign," DHS said in an alert on its website.

"Any organisation experiencing activity related to this report should preserve available evidence for forensic analysis and future law enforcement purposes."

The request follows another alert last week on Havex from ICS-CERT, which said it had learned the malicious software was designed to send a map of the network infrastructure back to the hackers' command-and-control server.

F-Secure, Symantec and Homeland Security declined to identify companies whose systems were infected.

Havex is a remote access trojan (RAT) that grants hackers control of an infected machine. While RATs are typically used for espionage, they can be used for other purposes, including downloading other malicious tools onto compromised machines.

F-Secure and Symantec said they believed the malicious software had so far only being used for spying, but that it had the capability to be used for sabotage.

"They are scanning and mapping out industrial control system networks," said F-Secure researcher Sean Sullivan. "They are probably passing on the ones that are of interest to other groups."

The Energetic Bear gang was first identified in January by researchers with cybersecurity firm CrowdStrike, which said the group was linked to the Russian government and was focused on espionage. 

Symantec said 1018 organisations across 84 different countries had been hit by the operation, though not all countries were known and some infections might be accidental.

It said the intended targets of the group were in the energy and industrial sectors. Geographically, the most activity was in Spain, followed by the United States, then France, Italy and Germany.