Russia Accused of Conducting Global Cyber Espionage Campaign

A group dubbed Energetic Bear is stealing sensitive information for Russia's economic gain

By on January 22nd, 2014 09:30 GMT

IT security firm CrowdStrike says it has uncovered a massive cyber espionage campaign that has targeted hundreds of organizations from Europe, America and Asia. Who is behind it? Apparently, the Russian government.

Over the past months, with the NSA controversy and the accusations made by the US against China, Russia hasn’t been in the spotlight as far as cyber espionage campaigns are concerned.

However, CrowdStrike experts have told Reuters that Russia has been launching cyberattacks in an effort to steal sensitive information which it can use to gain an economical advantage over its opponents.

The companies targeted by the Russian government haven’t been named, but experts say the list includes tech firms, energy providers, defense contractors, academia and even government agencies. CrowdStrike highlights that the campaign primarily focuses on the energy sector.

While China has often been accused of such practices, this is the first time someone points the finger at Russia.

Experts say that a hacker group dubbed “Energetic Bear” has been operating on behalf of the Russian government. The team’s operations have been monitored by CrowdStrike since August 2012.

The IT security firm has determined that the Russian government is behind the espionage campaign based on the technical indicators, the chosen targets and the data that was stolen by the attackers. The cybercriminal group has been relying on two Remote Access Trojans (RATs) in its operations: HAVEX RAT and SYSMain RAT.

Technical details on the Energetic Bear attacks have been provided by CrowdStrike in the company’s Global Threat Report for 2013.

“Targeted entities and countries are consistent with likely strategic interests of a Russia-based adversary. Several infected hosts were observed within the Russian Federation, but this could be the result of accidental compromise through large-scale SWC operations or deliberate efforts to conduct domestic Internal monitoring,” the report reads.

“Other data supporting a Russia-based adversary are observed in timing data related to these activities that aligns neatly with Russian working hours.”

Comments

Geographical distribution of Energetic Bear targets
   Geographical distribution of Energetic Bear targets