A Russia-linked threat group has been targeting people associated with Turkish critical infrastructure through compromised Turkish sites, according to threat management firm RiskIQ.
Called Energetic Bear, but also known as Dragonfly and Crouching Yeti, the group has been active since at least 2010. First detailed in 2014, the threat group has been focused mainly on the energy sector in the United States and Europe.
In July, Cisco revealed that the group has used template injection in attacks aimed at energy facilities and other critical infrastructure organizations in the United States. At least a dozen power firms in the country were hit in these attacks, including the Wolf Creek nuclear facility in Kansas.
In late October, the Department of Homeland Security and Federal Bureau of Investigation issued a joint alert to warn of an attack campaign associated with the group that has been ongoing since at least May 2017. The attacks target entities and organizations in the energy, nuclear, water, aviation, and critical manufacturing sectors.
RiskIQ now reveals that the group leveraged a supply chain attack to compromise a website belonging to a Turkish energy company and later used the site as a watering hole attack targeting people associated with Turkish critical infrastructure.
The group injected the site with SMB credential-harvesting malware and the security researchers managed to link the infrastructure to related Turkish sites that were compromised for the same purpose.
To set up their attacks, Energetic Bear compromises websites that give them exposure to specific targets, RiskIQ explains. They used the same technique for the website of Turcas Petrol, a Turkish energy company, located at turcas.com.tr.
The URL of an image the group included on the website “redirects to a link using the file:// scheme, which forces the connection through the file protocol, which then allows the group to harvest Microsoft SMB credentials,” the RiskIQ’s researchers explained. The compromise appears targeted at Turcas Petrol and those close with the business, which is a tactic typically employed by Energetic Bear.
According to RiskIQ, the SMB credential harvesting host is not always directly included on the websites, but an intermediary host is typically used to redirect visitors to SMB harvesting (possibly after some filtering is done).
“Additionally, the URL format of the file requested, which in this case was turcas_icon.png, is not related to the referring website. Instead, Energetic Bear seems to use a form of tagging to correlate any possible victims and their source website. The format we observed is <tag>_icon.png and <tag>.png,” the RiskIQ team says.
RiskIQ discovered that the threat group has compromised ‘general purpose’ websites too, such as plantengineering.com, which serves as an information and news hub for the critical infrastructure sector and which is owned by CFE Media LLC. Two other sites registered with the same email address were also compromised, namely controleng.com and csemag.com.
The security researchers believe that CFE Media’s other websites were affected as well, “because they’re geared toward engineers working in the critical infrastructure sector and thus prime targets for this watering hole attack.” They also note that the compromise campaign likely started between beginning of February and the end of March.