Critical infrastructure verticals, such as Energy and Utilities, are attractive targets for cybercriminals and APT groups. These organizations, such as power, oil, and gas companies, are often targeted by APT groups due to the sensitive data these organizations maintain that could be of interest to other government bodies. Cybercriminals, such as ransomware groups, frequently target these companies because these verticals cannot suffer significant downtime without having rippling effects on the target countries’ economic stability. Additionally, while outside threats are a concern for organizations in these verticals, insider threats are also a risk. This blog focuses on the threat actors assessed to pose the biggest threat to energy and utilities organizations.

An APT group is a malicious actor who is believed to possess significant skills, have virtually unlimited resources, and conduct highly targeted attacks. APT groups often aim to gain initial access and remain undetected for long periods of time—allowing the group to steal credentials and sensitive information, as well as deploy backdoors on victim networks.

As opposed to APT groups, ransomware cybercriminal campaigns focus on the encryption or destruction of files and folders on the targeted endpoint or across the network. Ransomware syndicates have constantly shifted tactics to remain relevant, including rebranding, leveraging known and benign tools to maintain persistence, and building an ecosystem around their own affiliate groups and programs. Such an ecosystem may include hosting and building their own tools, forums, and leak pages.

This blog leverages the Threat Actor Metric^™ developed by Optiv’s Global Threat Intelligence Center (gTIC) - a multi-faceted, qualitative approach to determine an adversary or campaign’s potential risk to an organization or industry on a scale of 0 to 100. The matrix considers known and assessed non-technical capabilities and intentions.

Energy

Today, we are (nearly) all dependent on energy organizations – to drive to work, use our stove, and more. The Energy vertical is comprised of organizations dealing with the business and operations of coal, oil and gas, renewable energy, and uranium, among others. The Energy vertical is critical to the industrial operations of all first-world countries. According to an article published by Reuters, in 2022 alone, the oil and gas industry doubled its profits to $219 billion USD. The profits observed in this vertical, the impact a cyberattack could have on both the victim organization and the target country’s population, and the type of data these organizations host make the Energy vertical a prime target for threat actors of all types. Three of the APT groups found to target the Energy vertical are APT33 (aka Elfin, Holmium, Refined Kitten, Magic Hound), Energetic Bear (aka Dragonfly, Crouching Yeti, Iron Liberty), and APT28 (aka Fancy Bear, Sofacy, SwallowTail).

APT28

APT28 (aka Fancy Bear, Sofacy, SwallowTail), first identified in 2004, is a sophisticated APT group known for developing their own tools and exploiting zero-day vulnerabilities. The group has been publicly attributed to Russia’s General Staff Main Intelligence Directorate (GRU) 85th Main Special Service Center (GTsSS) Military Unit 26165. APT28’s campaigns are assessed as aligned to the political interests of the Russian government. The group has demonstrated that it can dynamically adapt to changing political needs and intelligence requirements of the Russian government. Any release of stolen data is likely to be timed to have maximum impact to achieve strategic political aims.

APT28 has been instrumental in the cyber war targeting Ukraine during the Russia-Ukraine war. APT28 has been observed conducting phishing campaigns targeting Ukrainian victims to deploy stealer malware with the goal of exfiltrating data saved in victims’ web browsers, including usernames, passwords, and URLs.

Image

Figure 1: Threat Actor Metric^™ score for APT28

LockBit

LockBit ransomware was first discovered in September 2019 and was previously known as ABCD ransomware because of the “.abcd virus” extension first observed. LockBit operates as a RaaS model: affiliates make a deposit to use the tool for a custom attack, and then they split the ransom payout with the LockBit group—up to a 75-percent payout for some affiliates. LockBit’s operators have posted advertisements for their affiliate program on Russian-language criminal forums stating they will not operate in Russia or any CIS countries, nor will they work with English-speaking developers unless a Russian-speaking “guarantor” vouches for them.

Image

Figure 2: Threat Actor Metric^™ score for LockBit Ransomware

Utilities

Utility organizations have increasingly relied on automation to keep up with the increase in demand and consumption. Utility organizations must ensure the highest levels of reliability for their customers, which has increased the demand for real-time information. The electric system relies on advanced transmission systems, market operations, independent power producers, system operators, and the traditional vertically integrated utilities to ensure overall system reliability. The increasing complexity of devices used by utilities and other critical infrastructure elements is paralleled by an increase in attack surfaces and vulnerabilities. Multiple APT groups, including APT32 (aka OceanLotus, SeaLotus, Bismuth, Tin Woodlawn), Sandworm (aka BlackEnergy, Voodoo Bear, Iron Viking, Telebots, Quedagh), and APT10 (aka Cicada, Potassium, Stone Panda, menuPass, Red Apollo) have targeted the Utilities vertical to exfiltrate sensitive data and technologies and deliver malware like web shells for persistence and exfiltration. Ransomware groups, including the LockBit, Alphv, and Royal ransomware operations, have targeted organizations in the Utilities vertical.

Lazarus

Lazarus Group is a highly active APT group believed to be attributed to North Korea that has been active since at least 2007. Lazarus Group has been linked with operations that used a wide range of tools and tactics, techniques, and procedures (TTPs) and pursued a range of objectives, including the acquisition of military and political intelligence, disruption, and destruction. Lazarus Group is allegedly associated with two spin-off groups— Andariel and Bluenoroff—who are charged with conducting attacks against specific geographies and industries.

Image

Figure 3: Threat Actor Metric^™ score for Lazarus Group

Royal

Royal is a human-operated ransomware that was first observed in September 2022, but samples indicate the group has been operating since January 2022 and has made a significant impact on the ransomware landscape. The operation is a private ransomware group. However, the group is believed to be comprised of previous ransomware-as-a-service affiliates. This assertion is based on the observation that Royal includes aspects of many other ransomware families. The group steals and threatens to leak sensitive data if the ransom is not paid, and the group maintains a data leak site. Royal is believed to be a rebrand of the Zeon ransomware, which Conti Team One allegedly created. Conti Team One was one of the groups behind the Conti ransomware operation that was dismantled in 2022.

Image

Figure 4: Threat Actor Metric^™ score for Royal Ransomware

Outlook

Due to the similarities between the Energy and Utilities verticals, both see similar attacks conducted by the same threat actors. For example, both verticals have been targeted by both LockBit and Alphv ransomware groups most often. Despite many defensive frameworks and policies that energy and utility companies have adopted to improve security, organizations in these verticals remain an attractive target for ransomware operations due to the high-value information, company revenues, and critical nature of these organizations. These factors contribute to the likelihood of ransom payments or negotiations.

State-backed and cybercriminal APT groups and campaigns usually involve data and systems destruction via wiper malware or exfiltration of sensitive information for espionage and data harvesting campaigns. Optiv’s Global Threat Intelligence Center (gTIC) assesses with High Confidence that the motivation behind targeting these companies is for strategic economic and political gain by collecting sensitive information or by outright disrupting or destroying Information Technology and Operational Technology (IT/OT) systems.

The gTIC assesses with High Confidence that both cybercriminal and state-sponsored groups will continue to leverage known vulnerabilities in popular software and services that provide elevated privileges and access to sensitive data. Many of these tools and exploits have been in use for years and are usually available on open-source repositories and forums. The techniques will Likely continue to rely on internal risks that may not have been known or remediated by the victim organization. Enabling Multi-Factor Authentication (MFA), enforcing a least-privilege user policy, and leaving ports and services (e.g., Remote Desktop Protocol [RDP], Server Message Block [SMB], Universal Plug and Play [UPnP]) exposed and insecure allow easy access from simple brute-force and credential guessing.

Optiv’s gTIC assesses with Moderate Confidence that state-sponsored adversaries will increase the use of destructive wiper malware and ransomware as part of their campaigns over the next 12 months. Although the overall probability of a targeted state-sponsored attack across all verticals and organizations is Unlikely, the Energy vertical has a historical record of being targeted by state-sponsored APT groups.

Geopolitics is one of the main driving factors of APT activity. As countries continue to have conflict and search for ways to make economic advancements, APT activity will Likely continue over the next 12 months. There has been a spike in APT activity since the beginning of the Russia/Ukraine war. APT groups are observed to employ what Optiv’s gTIC refers to as a “weakest-link” approach to reconnaissance and initial access in most campaigns. These include using opportunistic phishing campaigns with malicious Microsoft Office attachments or malicious links distributed to multiple organizations and potential victims, as well as the exploitation of older (2+ year-old) vulnerabilities in popular public-facing software and services like VPN clients, RDP, Microsoft Exchange, and Oracle WebLogic. It is Likely that APT and ransomware groups will continue to target the Energy and Utilities verticals over the next 12 months.

There’s More

The fact that APT and ransomware groups target Utilities and Energy verticals is not new information. But if you’re interested in learning how this all ties together, how these groups overlap, and how protecting your organizations from one of these threats helps mitigate the threat from the others, check out our whitepaper vertical series: Vertical Target Series: Energy and Utility Threats.