Delaware, USA – March 21, 2018 – Last week, US-CERT issued Alert TA18-074A, based on the results of FBI and the Department of Homeland Security investigation, which provided indicators of compromise and TTPs of Energetic Bear hacker group (also known as DragonFly). Their campaign has been running since March 2016 targeting government entities and energy sector companies. The next day, security researchers from Cylance revealed details of their investigation of the same hacker group attacks on UK energy companies. Energetic Bear conducted a phishing campaign that exploited ‘Redirect to SMB’ vulnerability in MS Windows. When opened, a malicious document attempted to automatically authenticate a user to the compromised Cisco router, allowing attackers to gather credentials of energy companies employees. The hacked router belonged to a large Vietnamese oil rig manufacturer.
To detect traces of Energetic Bear attacks, you can leverage SIEM use case TA18-074A Detector, which is based on IOCs from US-CERT and Anomali ThreatStream Community. This turn-key content package can help find compromised assets and activity of the hacker group within your organization.
TA18-074A Detector for ArcSight: https://tdm.socprime.com/use-case-library/info/516
TA18-074A Detector for QRadar: https://tdm.socprime.com/use-case-library/info/517/
TA18-074A Detector for Kibana: https://tdm.socprime.com/use-case-library/info/520/
TA18-074A Detector for Qualys: https://tdm.socprime.com/use-case-library/info/518/