Hackers with deep ties to Russia and its government have been penetrating the computer networks of energy companies in Europe, the United States and Asia, according to a new report.
The campaign, dubbed "Energetic Bear," targeted hundreds of companies in more than 23 countries, according to the cybersecurity firm CrowdStrike, which revealed the operation in a report published on Wednesday.
See also: Cybersecurity Simplified: A Reality Check for the Digital Age
China and its army of hackers are the usual suspects involved in cyber operations to steal intellectual property for an economic advantage. Security firm Mandiant exposed the operations of a sophisticated group of Chinese hackers called APT1 last year. In addition, the U.S. government, most recently in a November 2013 report, has accused the Chinese government of spying on corporations for years. Chinese officials have long denied these accusations.
But in this case, according to CrowdStrike, it seems like Russia — not China — was the culprit in economic spying. Russia is more commonly considered a host for cybercriminals trying to make profits by stealing passwords or credit card data. Russians also reportedly attacked Estonia in what some refer to as one of the first instances of cyberwar.
"This was really one of the first evident cases of Russian activity we've seen in a long time," Adam Meyers, CrowdStrike’s vice president of intelligence, told Mashable, referring particularly to cyber espionage.
It's often hard to identify the people behind complex cyber espionage campaigns, and companies refuse to point fingers. But in this case, while proceeding with caution, researchers at CrowdStrike are confident they have the right guys.
"It's always hard to get a smoking gun in these type of cases," said Dmitri Alperovitch, the cofounder and CTO of CrowdStrike. Any specific names and details of those behind the attack are unclear, but Alperovitch is confident that the Russian government was involved.
Hackers working "at the behest of the government" tend to work normal business hours, from 9 to 5, according to Meyers. He explained that in CrowdStrike's investigation, which spanned over two years, they saw increased activity from the hackers during normal Moscow working hours. The Energetic Bear hackers worked during the same business hours as other government employees.
But it wasn't just the hackers' seemingly normal schedules that tipped off the researchers.
The organizations targeted by Energetic Bear are also "consistent with likely strategic interests of a Russia-based adversary," read the report. In other words, it would make sense for Russia to target companies in the energy sector. CrowdStrike refused to provide further details, since the investigation is still ongoing and the company maintains confidentiality agreements with some victims of the attack.
The hackers attacked European governments, defense contractors and energy companies around the world, among others. They were chasing after intellectual property, trade secrets and data that could potentially help Russia in its diplomatic operations involving energy resources, Meyers explained.
The hackers injected spyware — a certain type of remote access tools (RATs) — into a series of websites they expected the victims to visit, an attack commonly referred to as strategic web compromise or watering hole.
The hackers' techniques were sophisticated, Alperovitch said — in a way, just as good as those of their Chinese counterparts. “We really have the Russian sort of taking the Chinese playbook here,” he added.
Have something to add to this story? Share it in the comments.