PUTIN’S CYBERWAR technicians had to physically travel to substations to manually close breakers that the hackers had 35 digitally opened. The attacks featured a modified version of the Russia-designed “BlackEnergy”, which is a kind of malware known as a Trojan horse that remotely takes over computers in order to carry out DDoS 36 attacks. The US-based security firm iSight Partners associates this particular malware with a cybercriminal group it calls the Sandworm Team, which it believes is tied to the Russian 37 government. In August of the previous year, Norway’s National Security Authority (NSM) announced that cyberattacks had compromised as many as 50 Norwegian oil companies, including Statoil, its largest, state-owned oil firm. The NSM advised 250 other energy companies to check their networks for evidence of malicious activity. Several reported that their networks had been compromised. In one case, cybercriminals had sent a phishing email with a malicious attachment to a high-ranking employee in the procurement division at a Nordic energy company. The email purported to be from the company’s human resources team and threatened the employee with dismissal. Cybercriminals also sent phishing emails, again appearing to be from human resources’ representatives, to several other company employees. This activity is associated with the suspected Russian actors behind the Fertger/Havex malware 38 family, which other researchers refer to as “Energetic Bear” or “Dragonfly”. 4.7 Finance In mid-August 2014, JPMorgan Chase & Co. and at least one other US bank were hit by cyberattacks. In one case, hackers used a software flaw known as a zero-day vulnerability (which is to say, a vulnerability in software that hackers can exploit and for which the creator of the software has zero-days in which to mitigation its exploitation) in one of the banks’ websites. They then ploughed through layers of elaborate security to steal gigabytes of sensitive data. As many as 76 39 million households and 7 million small business may have had data compromised. The attack followed a recent infiltrations of major European banks using a similar vulnerability, and nine other US and international financial institutions – including, Bank of America, Regions Bank, 40 TD Bank, and Commercial Bank International of UAE – were also targeted. 35 Zetter, K. ‘Everything We Know About Ukraine’s Power Plant Hack’, Wired, 20 January 2016, available at: https://www.wired.com/2016/01/everything- we-know-about-ukraines-power-plant-hack/, last visited: 6 May 2016. 36 See: Kovacs, E. ‘Ukraine Accuses Russia of Hacking Power Companies’, Security Week, 30 December 2015, available at: http://www.securityweek.com/ukraine-accuses-russia-hacking-power-companies, last visited: 6 May 2016. 37 Hultquist, J., ‘Sandworm Team and the Ukrainian Power Authority Attacks’, iSight, 7 January 2016, available at: https://www.isightpartners.com/2016/01/ukraine-and-sandworm-team/, last visited: 6 May 2016. 38 ‘Cyber Threats to the Nordic Region’, FireEye, 11 May 2015, available at: https://www.fireeye.com/content/dam/fireeye-www/global/en/current- threats/pdfs/rpt-nordic-threat-landscape.pdf, last visited: 6 May 2016, p. 10. 39 Goldstein, M. and Perlroth, N. and David E. Sanger, ‘Hackers’ Attack Cracked 10 Financial Firms in Major Assault’, The New York Times, 3 October 2014, available at: http://dealbook.nytimes.com/2014/10/03/hackers-attack-cracked-10-banks-in-major-assault/?_php=true&_type=blogs&_r=1 last visited: 13 May 2016. 40 Waterman, S. ‘US banks targeted in new Russian hack’, Politico, 5 December 2015, available at: http://www.politico.eu/article/us-banks-russia-hack- malware-cyber/, last visited: 13 May 2016. 9
Putin's Cyberwar Page 11 Page 13