Since 2011, Energetic Bear, an Eastern European threat actor, has targeted the Defense Industry, Energy Industry, and ICS equipment manufacturers, with highly technical prolonged attacks that are suggestive of a state sponsor. Energetic Bear’s exploit kits features specialized malware, likely developed or adapted by the attackers, that was compiled during business hours (Monday – Friday, 9am – 6pm) UTC+4, which corresponds to working hours in Russia or Eastern Europe. Most security firms conclude that Energetic Bear is a Russian state-sponsored group because the group targets nation states who are politically opposed to Russia. Further, the malware primarily compromises petroleum and energy systems that compete with Russia’s energy complex in the economical arena.
Based on its choice of targets and the malware deployed, Energetic Bear seems primarily interested in gathering intelligence on its victims or their country of origin and establishing persistent access to compromised systems. The sophisticated exploit kits could easily be used to sabotage targets’ operations to cause damage or disruption in critical infrastructure sectors that depend on ICS and SCADA systems. So far, while the malware has been positioned ideally to sabotage ICS and SCADA systems, investigations by Symantec and other leading firms witness more uses of the exploit kits for espionage purposes than the sabotage purposes. The threat actors may prefer not to utilize this capability or sabotage campaigns may occur, appearing as system failures that are not investigated as cyber-attacks. More likely, Energetic Bear may be pre-positioning its malware in compromised systems to grant the greatest utility while allowing for every attack vector. Given its selection of targets and its exploit kits, both of which are detailed below, Energetic Bear is uniquely positioned to assist in a combination of Digital and Physical warfare for military or political purposes. Notably, Russia conducted such a campaign in its 2008 conflict with Georgia.