Russian hacker group takes over routers in energy sector attacks

A Russian cyberespionage group hijacked a Cisco router and abused it to obtain credentials that were later used in other cyber attacks that targeted energy companies in the United Kingdom.
Last week The United States of America added sanctions against Russian spy agencies for trying to influence the 2016 presidential election and other cyber attacks, including the NotPetya attack and campaigns targeting energy firms.

US-CERT received an alert from the DHS and FBI to officially accuse the Russian government of critical infrastructure attacks launched by a cybercriminal group known as Dragonfly, Crouching Yeti, and Energetic Bear.
The same group was accused by UK’s National Cyber Security Centre (NCSC) for targeting country’s energy sector, by leveraging the Server Message Block (SMB) protocol and attempting to steal victims’ passwords.

The attacks on country’s energy sector were made possible thanks to the weak cybersecurity implemented into the targeted devices.
Dragonfly group used phishing attacks to target the energy sector in the UK; the phishing attacks contained two documents that were fake resumes belonging to one Jacob Morrison.
When the fake document was opened, they would fetch a template file and then attempt to automatically authenticate to a remote SMB server controlled by the cybercriminals.

After the targeted device connects to the SMB server, it will attempt to authenticate in hackers server using the current Windows user’s domain credentials, basically stealing them.
Every system can be protected from this infected doc files by installing a top cybersecurity solution like an antivirus.
Depending on which version of OS your device runs, please install an antivirus for Windows or antivirus for Mac. Companies should run extra tests like penetration test and ethical hacking test on their network to be safe and secured.

Dragonfly used the stolen credentials in later attacks to hack the systems of energy sector organizations in the United Kingdom.
Interesting is the fact that the IP address of the SMB server used in the template injection attack was associated with a major state-owned energy conglomerate in Vietnam and one of the IP corresponded to a core Cisco router that had reached end-of-life.

They are using this Cisco router because the compromise of a router very likely implicates the router’s firmware and there aren’t as many tools available to the forensic investigator to investigate them and the lack of system logs further challenges the analysis.
This new way of approach that is using this type of infrastructure is a serious and worrisome discovery, vulnerabilities in core infrastructure like routers are not easily closed or remediated.
Dragonfly is not the only cyberespionage group that is causing cybersecurity problems, another group named Slingshot, whose members apparently speak English, has targeted entities in the Middle East and Africa using hacked Mikrotik routers.

Here are some tips for implementing and maintaining a good and healthy cybersecurity solution:
Regarding individual users: to be safe and secured, depending on which version of OS your device runs, please install an antivirus for Windows or antivirus for Mac.
Regarding companies: make sure that you hire a professional cybersecurity firm that will run various cybersecurity tests on your company’s network to implement only the best possible cybersecurity solution. Always opt for a package that includes at least a penetration test and ethical hacking tests.