Bears Pouncing at the Watering Hole Online

For every cyber nook we secure, hackers dream of new ways to attack, and the inventiveness of the “Energetic Bear” is downright scary. Cybersecurity is key.


14 July 2014

Bears Pouncing at the Online Watering Hole Online

For every cyber nook and cranny we secure, hackers dream of new ways to attack, and the inventiveness of the “Energetic Bear” outfit is downright scary.

Imagine getting a dose of malware from an online menu of a Chinese restaurant a block away from where you work? Well, such a nefarious method exists, as an article in The New York Times says. Cybersecurity experts even have a colorful, and apt, name for it: a “watering hole attack.” (One of our own internal security experts prefers calling it a “drive-by download” attack.)

Currently, there is a spate of stories about hackers who are launching very targeted assaults at hundreds of companies globally. Most of the victim firms are in the oil and gas industry. Cybersecurity experts refer to these hackers as being in the Energetic Bear or “Firefly” groups; the hackers’ short-term goals include planting malware to achieve command and control (C&C) capabilities over industrial plants. (We talked about PlugX RAT using Dropbox for C&C attacks already.)

Vectors of Cyber Assault

These cyber criminals are very aggressive, really clever, technically sophisticated, and may have state backing, say experts. Military men know attacking the enemy head-on is always, almost, a losing proposition. One goes for the flank; or even better, hits the opponent from the rear, with intentional (or accidental) internal help.

The Bear-Firefly hackers get this. So they send out mass emails with malicious links or attachments. But other, subtler techniques include:

  • “Trojanizing” legitimate software downloads. Using this technique, hackers targeted vendors whose apps support industrial control systems (ICSs), as an Ars Technica post explains. They then inserted malware into downloadable software on these vendors’ websites. End users who routinely downloaded updates also inadvertently inserted malware into their networks.
  • The watering hole attack. Energetic Bear compromised websites that energy industry employees were likely to visit. These sites redirected the visitors to other websites that hosted an “exploit kit.” This inserted the malware into the victims’ machines. (For details on that Chinese menu assault, you can read the Times article here.)

Hackers Seek the Soul of the Machine

But these hackers did one better, the Times notes. They encrypted their malware so that information technology managers couldn’t easily spot their tools, or origin. It appears some of these attacks also reached all the way to the basic input/output system at the heart of the computer. If the hardware is breached, it’s pretty much cooked.

The reason for what the Bear-Firefly group is doing is unclear — it may just be espionage for competitive advantage. On the other hand, “the potential for sabotage is there,” as one expert told the Times. (The Department of Homeland Security even issued an alert for these ICS assaults.)

These hackers exploit human behavior. As an IT manager, you must not only have ironclad systems, but also educate your personnel to be savvy about the cyber criminals out there and their ploys. Want to be more prepared? This blog about securing your network may offer a good starting point.



Marc Songini

Marc Songini

Marc Songini has worked in the information technology field for more than 16 years. His roles have included those of journalist, analyst, and marketing communications specialist. He admits that when he started out as a cub high tech reporter, Netscape was still rocking the industry with a wondrous new user interface called a “browser.” During his 10 years with International Data Group (IDG), Marc wrote for NetworkWorld and Computerworld, both award-winning magazines. Marc specializes in cloud, enterprise apps, and figuring out the meaning of being human in an automated world.