German prosecutors issue warrant for Russian government hacker over energy sector attacks
Prosecutors in Germany have issued a warrant for the arrest
of Pawel A, a Russian national they accuse of being part of the Berserk Bear
hacking group within Russia’s Federal Security Service (FSB), according to
German public broadcasters BR and WDR.
The prosecutors accused Pawel of engineering a 2017 attack
on Netcom BW – which manages the routers for the EnBW energy company – and
another attack on electricity company E.ON. Neither company responded to
requests for comment.
The warrant was not made public but BR and WDR reported that
the hackers used a vulnerability in Netcom BW’s routers to access internet
traffic and eventually break into the management system of the company’s public
telecommunications network.
Netcom BW told the news outlet that the electricity and gas
networks were never breached because they are separate from the
telecommunications network.
A 36-year-old by the name of Pavel Aleksandrovich Akulov was
one of four Russian nationals indicted by the Justice Department last year for
allegedly leading a widespread hacking campaign against energy companies around
the world.
It is unclear if he is the same as Pawel A, but he was also
identified in the U.S. indictment as a member of the Berserk Bear group,
working in “Center 16” within the FSB. German prosecutors did not respond to
requests for confirmation.
The group has specifically targeted an array of industrial
technology systems. Between 2012 and 2017, Akulov and two others are accused of
launching supply chain attacks, which breach adjacent entities as a way to
reach their main targets, that gave the Russian government “surreptitious,
unauthorized and persistent access” to the networks of several energy
companies.
From 2012 to 2014, they compromised several industrial
control system (ICS) manufacturers and software providers before hiding the
“Havex” malware inside networks. They used a range of attacks to install
malware on more than 17,000 devices in the U.S. and other countries.
Between 2014 and 2017, the DOJ said the group went after
“specific energy sector entities and individuals and engineers who worked with
[industrial] systems.” These attacks targeted more than 3,300 users at some 500
U.S. and international companies and entities, as well as government agencies
like the Nuclear Regulatory Commission.
The group was successful in compromising the business
systems of the Wolf Creek Nuclear Operating Corporation in Burlington, Kansas,
through spearphishing. They also found success using “watering hole” attacks,
which captured the login credentials of energy sector engineers through
compromised websites.
Overall, their campaigns are known to have targeted people
in more than 136 countries. In the U.S., Akulov is facing charges related to
computer fraud and abuse, wire fraud, aggravated identity theft and causing
damage to the property of an energy facility.
Attacks on German energy companies have increased
significantly over the last year. German wind farm operator Deutsche
Windtechnik was crippled in April by a cyberattack while German wind turbine
maker Nordex was forced to shut down its IT systems across multiple locations
and business units after it was hit with a cyberattack on March 31.
The Nordex incident followed a cyberattack on satellite
communications company Viasat that caused the malfunction of 5,800 Enercon wind
turbines in Germany.
Oil companies Oiltanking and Mabanaft, both owned by German
logistics conglomerate Marquard & Bahls, suffered a cyberattack that
crippled their loading and unloading systems in February. The attacks forced
Shell to reroute oil supplies to other depots.
An internal report from Germany’s Federal Office for
Information Security said the BlackCat ransomware group was behind the
cyberattack on the oil companies.
Carsten Maywirth, director of cybercrime at Germany’s
Federal Criminal Police Office, told a law enforcement conference in New York
last week that the invasion of Ukraine was linked to the increase in attacks on
German firms.
The conflict kicked off what he called a “cyberwar,” where
ransomware groups and criminal organizations chose sides in the conflict and
launched attacks on behalf of Russia against any country that helped Ukraine.
“The result is that we have more perpetrators, more targets
and more vulnerabilities. This has created a party for the criminals,” he said.
“But in my view, this is the new normal.”
Comments
Post a Comment