Russian hackers who broke into the networks of Western oil and gas companies used techniques that companies can detect and oftentimes defend against, experts say.
The Russian Federation-based group compromised corporate systems by planting malware in technology suppliers' software and compromising websites visited by energy company employees, Symantec said in a recent report on the attacks.
The attackers, which have been operating at least since 2011, were bent on stealing intellectual property and other sensitive information mostly from energy grid operators, major electricity generators, oil pipeline operators and industrial equipment providers. The majority of the targets were in the U.S., Spain, France, Italy, Germany, Turkey and Poland.
The attackers' favorite malware was Backdoor.Oldrea, also known as Havex or the Energetic Bear RAT. Oldrea, custom malware either developed by the group or for it, acted as a back door that let the hackers extract data and install additional software.
The majority of command and control servers appeared to be hosted on compromised computers running content management systems. Oldrea has a basic control panel that lets an authenticated user download a compressed version of data stolen from each victim.
Tools that monitor network traffic can detect such malware when data moving from an internal source suddenly spikes and the traffic is headed toward an untrusted site, Adam Kujawa head of malware intelligence at Malwarebytes, said.
Intrusion detection systems (IDSs) could help by identifying Web addresses sending and receiving data that is suspicious.
"Many government networks utilize block lists and closely monitor network activity to keep an eye out for anything anomalous," Kujawa said. "This is a very common method of identifying previously unseen malware."
Security products that scan systems for unusual activity could also help. "Even something as small as a single value in the system registry being incorrect could be enough to launch an investigation of infection on a system," he said.
Another effective technique is egress filtering, which is the practice of monitoring traffic from a corporate network to the Internet via a router, firewall or similar device.
"With simple egress filtering, an organization can identify communication paths that don't belong on the network and block them," Jim Gilsinn, senior investigator for Kenexis Consulting, said.
Any device on a network of industrial control systems that need access to Internet domains should go through a Web proxy that enforces a white list of acceptable sites, Gilsinn said.
The Russian hackers often compromised websites visited by a company's employees in order to download malware. Such so-called watering-hold attacks can be stymied by adding script-blocking extensions to browsers.
Sign up for CIO Asia eNewsletters.