Russian energy hackers' attack infrastructure exposed
Kaspersky Lab identified a large number of servers used as infrastructure for a hacking campaign widely believed to be run by the Kremlin. One of those servers belongs to a Russian opposition party.
The background: Energetic Bear, also known as Dragonfly or Crouching Yeti, is a Russian-speaking hacking group targeting the energy sector and other industrial systems. Moscow-based Kaspersky Lab does not traditionally attribute attacks to governments, but many observers — including the U.S. government — believe that Energetic Bear is an espionage operation conducted by Russia.
Why it matters: Energetic Bear has regularly been caught in U.S. systems, and knowing which servers the group uses will help halt the attacks. It also provide some insight into which websites the hackers expected the users they were targeting to visit — or that the Kremlin wanted to jab.
The details: The group uses some hacked websites to redirect users to other malicious servers to gain a foothold in victims' systems, and others to retrieve information from the attack. The hacked servers included:
- In Russia: an opposition party website, a software developer, an investment site, a sports team and an information systems contractor
- In the U.S.: an oil and gas firm
- In Ukraine: an electric company and a bank
- In the U.K.: an aerospace company
- Two servers in Germany, three in Greece, three in Turkey, one of undetermined location