Related Stories

  • New IE 0-Day Used in Watering Hole Attack
    A new Internet Explorer 0-day exploit, apparently used by an old hacking group, was found to have been served by the compromised Veterans of Foreign Wars website. Similarities in the attack suggest the same group as that involved in operations DeputyDog and Ephemeral Hydra were behind the attack. That group is thought to emanate from China.
  • Energetic (Russian) Bear Attacking Western Energy Sector
    Energetic Bear is the name given to a hacking group, most likely Russian, that appears to be primarily targeting the western energy sector. Although only one part of a new Global Threat Report for 2013, it is the part attracting most attention and interest: Russia is potentially joining China (and the NSA) as an alleged source of state-sponsored espionage.
  • Attackers Ramp Up Threats to the Energy Sector
    The US energy sector experienced the largest number of malware attacks of any industry in the spring and summer of 2012, with the end result being expensive outages at pipelines, oil refineries and drilling platforms. This year, brute-force attacks and botnet infestations are all alarmingly on the rise.
  • Internet Explorer zero-day blamed for Department of Labor website attack
    The watering hole campaign that targeted a US Department of Labor website was the result of a brand-new zero-day vulnerability affecting Internet Explorer 8 (CVE-2013-1347), and not a patched, known quantity as originally thought.
  • Fresh IE8 vulnerability used in watering hole attack on Chinese dissidents
    A new watering hole attack targeting Chinese dissidents has been uncovered by researchers. It exploits a fresh vulnerability in Internet Explorer 8 – just days after Microsoft released a patch.

Top 5 Stories


LightOut is Latest Cyber Threat to Target Energy Sector

15 March 2014

What happens when the energy grid goes down? Well the lights, of course, go out. A fresh advanced persistent threat (APT) targeting the energy sector is thus aptly named LightsOut, and like previous attacks, it used a watering hole method to start its system compromise.

Last autumn, the story broke that threat actors were targeting the energy sector with remote access tools and Intelligence gathering malware. The primary tactic was the watering hole attack: websites that are likely to be of interest to employees of the target company are compromised in order to deliver malware to visitors. The intention is that this infection should then allow traversal from the employees into the real target.

According to Zscaler, the new threat is from the same hands.

LightsOut struck late February, between the 24th and 26th of the month. “The attack began as a compromise of a third party law firm which includes an energy law practice known as Thirty Nine Essex Street LLP,” said Zscaler researcher Chris Mannon, in a blog. “The victim site is no longer compromised, but viewers should show restraint and better browsing practices when visiting.”

The compromise leads victims to another that provides the attacker with a specific user-agent in the URL field. The purpose of this is to pass along diagnostics to the attacker so that the proper malicious package is sent to the victim.

LightsOut performs several diagnostic checks on the victim's machine to make sure that it can be exploited. This includes checking the browser and plugin versions. And ultimately, a payload is delivered from the LightsOut Exploit kit, which attempts to drop a malicious JAR file.

LightsOut is only the latest watering hole-oriented attack on the sector. Earlier this year it was discovered that "Energetic Bear" was making the rounds, an adversary group with a nexus to the Russian Federation that conducts intelligence collection operations against a variety of global victims, with a primary focus on the energy sector.

Targets for the group include European government and defense contractors; European, US and Asian academia; European energy providers; and research institutes – typical cyber-espionage profiles rather than simple criminal targets.

“The recent activity of this threat originating from a site in the energy sector should serve as a warning to those in the targeted industry,” Mannon said. “Prior research from other sources tells us that the threat actors involved are highly motivated and agile. Their motive is to gather intelligence for further attacks, so be on your guard and monitor transaction logs for suspicious activity.”

Based on data from the US Department of Homeland Security’s (DHS) Industrial Control System-Cyber Emergency Response Team (ICS-CERT), 41% of malware attacks reported last year were made on the systems of energy companies, like grid operators and natural gas pipeline companies. Although the overall number of incidents reported was relatively small – 198 – the proportion aimed at energy was not. The sector receiving the next highest number of threats (internet-facing industrial systems) experienced only 11% of them.

“The energy sector is a big part of the global economy and therefore has extremely high-stakes security risks compared to other industries,” said Stephen Coty, director of security research with Alert Logic, in an analysis last year. “Daily survival of the population and businesses alike depend on the availability of energy resources, making energy companies a prime target for hackers.”

This article is featured in:
Industry News  •  Internet and Network Security  •  IT Forensics  •  Malware and Hardware Security


Comment on this article

You must be registered and logged in to leave a comment about this article.

We use cookies to operate this website and to improve its usability. Full details of what cookies are, why we use them and how you can manage them can be found by reading our Privacy & Cookies page. Please note that by using this site you are consenting to the use of cookies. ×