CrowdStrike released its Global Threat Report for 2013 today. It focuses on two particular adversaries: Deadeye Jackal (more commonly know as the Syrian Electronic Army), and the lesser known Energetic Bear. "Energetic Bear," it reports, "is an adversary group with a nexus to the Russian Federation that conducts intelligence collection operations against a variety of global victims with a primary focus on the energy sector."
The primary tactic used by the group is the 'strategic web compromise,' or watering hole attack. Websites that are likely to be of interest to employees of the target company are compromised in order to deliver malware to visitors. The intention is that this infection should then allow traversal from the employees into the real target.
Other targets for the group include European government and defense contractors; European, U.S., and Asian academia; European energy providers; and research institutes – typical cyber espionage rather than simple criminal targets. "Targeted entities and countries are consistent with likely strategic interests of a Russia-based adversary," says CrowdStrike.
While it is notoriously difficult – if not technically impossible – to locate the correct nationality or affiliation of any specific hacking group, Crowdstrike adds, "Other data supporting a Russia-based adversary are observed in timing data related to these activities that aligns neatly with Russian working hours. Both build times for the malware sample and distinctive C2 activity (possibly infrastructure monitoring) occur mostly within these hours."
There is an assumption by some commentators that Energetic Bear is state-sponsored by Russia in the same way that Comment Crew is (allegedly) state sponsored by China. “They’re taking the Chinese playbook,” said Dmitri Alperovitch, CrowdStrike cofounder and chief technology officer, in The Washington Post. "If true," adds the Post, "it would be one of the first reports alleging Russian cyber efforts aimed at U.S. and European energy companies. Up to now, most reports have focused on the Chinese."