|
 The Department of Homeland Security's Industrial Control Systems
Cyber Emergency Response Team, or ICS-CERT, issued the request after
researchers with F-Secure of Finland and Symantec Corp of the United
States reported that they believed Energetic Bear was behind a
campaign to infect energy and industrial firms around the world with
malicious software known as the Havex Trojan.
ICS-CERT on Tuesday advised critical infrastructure operators to
tighten security, and provided them a list of specific steps to
better protect their systems. It also asked them to check to see if
their systems had been infected.
"ICS-CERT strongly recommends that organizations check their network
logs for activity associated with this campaign," DHS said in an
alert on its website Tuesday. "Any organization experiencing
activity related to this report should preserve available evidence
for forensic analysis and future law enforcement purposes."
The request follows another alert last week on Havex from ICS-CERT,
which said that the agency and F-Secure had learned that the
malicious software was designed to send a map of the network
infrastructure back to the hackers' command-and-control server.
F-Secure, Symantec and the Department of Homeland Security declined
to identify companies whose systems were infected, though they said
they were in the energy and industrial sectors.
Havex is a Remote Access Trojan, or RAT, that grants hackers control
of an infected machine. While RATs are typically used for espionage,
they can be used for other purposes, including downloading other
malicious tools onto compromised machines.
F-Secure and Symantec said they believed the malicious software had
so far only being used for spying, but that it had the capability to
be used for sabotage.
[to top of second column] |
"They are scanning and mapping out industrial control system
networks," said F-Secure researcher Sean Sullivan. "They are
probably passing on the ones that are of interest to other groups."
The Energetic Bear gang was first identified in January by
researchers with cybersecurity firm CrowdStrike, which said the
group was linked to the Russian government and was focused on
espionage. (http://reut.rs/1dOcEuX).
Symantec said 1,018 organizations across 84 different countries had
been hit by the operation, though not all countries were known and
some infections might be accidental.
The security software maker said it believed the intended targets of
the group were in the energy and industrial sectors. Geographically,
the most activity was in Spain, followed by the United States, then
France, Italy and Germany.
(Reporting by Jim Finkle; Editing by Bernadette Baum)
[© 2014 Thomson Reuters. All rights
reserved.] Copyright
2014 Reuters. All rights reserved. This material may not be
published, broadcast, rewritten or redistributed.
 |
