Last autumn, the story broke that threat actors were targeting the energy sector with remote access tools and Intelligence gathering malware. The primary tactic was the watering hole attack: websites that are likely to be of interest to employees of the target company are compromised in order to deliver malware to visitors. The intention is that this infection should then allow traversal from the employees into the real target.
According to Zscaler, the new threat is from the same hands.
LightsOut struck late February, between the 24th and 26th of the month. “The attack began as a compromise of a third party law firm which includes an energy law practice known as Thirty Nine Essex Street LLP,” said Zscaler researcher Chris Mannon, in a blog. “The victim site is no longer compromised, but viewers should show restraint and better browsing practices when visiting.”
The compromise leads victims to another that provides the attacker with a specific user-agent in the URL field. The purpose of this is to pass along diagnostics to the attacker so that the proper malicious package is sent to the victim.
LightsOut performs several diagnostic checks on the victim's machine to make sure that it can be exploited. This includes checking the browser and plugin versions. And ultimately, a payload is delivered from the LightsOut Exploit kit, which attempts to drop a malicious JAR file.
LightsOut is only the latest watering hole-oriented attack on the sector. Earlier this year it was discovered that "Energetic Bear" was making the rounds, an adversary group with a nexus to the Russian Federation that conducts intelligence collection operations against a variety of global victims, with a primary focus on the energy sector.
Targets for the group include European government and defense contractors; European, US and Asian academia; European energy providers; and research institutes – typical cyber-espionage profiles rather than simple criminal targets.
“The recent activity of this threat originating from a site in the energy sector should serve as a warning to those in the targeted industry,” Mannon said. “Prior research from other sources tells us that the threat actors involved are highly motivated and agile. Their motive is to gather intelligence for further attacks, so be on your guard and monitor transaction logs for suspicious activity.”
Based on data from the US Department of Homeland Security’s (DHS) Industrial Control System-Cyber Emergency Response Team (ICS-CERT), 41% of malware attacks reported last year were made on the systems of energy companies, like grid operators and natural gas pipeline companies. Although the overall number of incidents reported was relatively small – 198 – the proportion aimed at energy was not. The sector receiving the next highest number of threats (internet-facing industrial systems) experienced only 11% of them.
“The energy sector is a big part of the global economy and therefore has extremely high-stakes security risks compared to other industries,” said Stephen Coty, director of security research with Alert Logic, in an analysis last year. “Daily survival of the population and businesses alike depend on the availability of energy resources, making energy companies a prime target for hackers.”