New Inight into nergetic ear’
Watering Hole Attack on Turkih

Critical Infratructure
Novemer 2, 2017, Yonathan Klijnma

On Octoer 20th U-CRT pulihed an alert (TA-17-293A) with information aout
the activitie of an APT targeting the critical infratructure ector. The report
contain an extenive et of indicator with detailed context and information around
them. Part of the Ruian phere of influence, the threat group dicued in the U-
CRT report i the perpetrator of documented cer epionage attack around the
world, man of which target indutrial and manufacturing �rm and critical
infratructure. Known  man name, the group i mot prominentl known a
‘nergetic ear’ and ‘Crouching Yeti.’

Detailed anali of nergetic ear’ malware and activitie wa recentl done 
Kaperk, and RikIQ initiall invetigated them earlier thi ear. Through our we
crawling network, we were ale to determine that a weite elonging to a Turkih
energ compan wa eing ued in a watering hole attack targeting people
aociated with Turkih critical infratructure. Compromied via a uppl chain
attack, the ite wa injected with M credential-harveting malware. RikIQ then
linked the maliciou infratructure to a tring of related Turkih ite that were
compromied for the ame purpoe and traced the attack ack to a likel timeframe
in which it egan.

Watering hole attack, epeciall thoe involving uppl chain compromie, have
een an extremel e�ective method for operator of cer epionage campaign
ecaue the target victim of peci�c group, organization, and region, and with

https://www.us-cert.gov/ncas/alerts/TA17-293A
https://www.darkreading.com/attacks-breaches/energetic-bear-under-the-microscope/d/d-id/1297712?
https://community.riskiq.com/projects/bd02b44d-5c0a-0b8f-9336-54f509bf191c
https://cdn.securelist.com/files/2014/07/EB-YetiJuly2014-Public.pdf
https://www.riskiq.com/blog/labs/fake-flash-update-watering-hole-attack/


cloe ut tumultuou relation etween Turke and the Ruian Federation, Turke i
not a urpriing target for nergetic ear. We hared our �nding with law
enforcement and national CRT partner, ut now that the indicator have ecome
pulic per U-CRT’ pulication, we want to give our unique point of view on the
threat.

trategical Compromie for Reconnaiance

Part of nergetic ear’ campaign involved trategical we compromie that give
them expoure to peci�c target. For example, prior activitie from the group
include compromiing oftware upplier for programmale logic controller (PLC)
component ued in critical infratructure and ackdooring them with the Havex
malware. In the cae of the campaign decried in the U-CRT report, the group
compromied the weite of Turca Petrol, a Turkih energ compan, located at
turca.com.tr.

Fig-1 turca.com.tr

In Ma 2017, during one of our crawl of Turca’ weite, RikIQ encountered a

http://www.netresec.com/?page=Blog&month=2014-10&post=Full-Disclosure-of-Havex-Trojans


watering hole etup in ue  nergetic ear. In the creenhot of the weite aove,
ou can ee four top element: ‘Join the Turca nerg Famil,’ ‘Announcement,’
‘Compan New,’ and ‘Tv interview.’ Thee eparate element are tructured a
iframe to other page on the weite a hown in the DOM capture elow:

Fig-2 DOM capture howing the modi�ed uection

However, the iframe’d page for the ‘Announcement’ uection wa modi�ed 
nergetic ear operator to contain a mall addition in the form of an image
incluion:

Fig-3 Maliciou image incluion

The image URL redirect to a link uing the �le:// cheme, which force the
connection through the �le protocol, which then allow the group to harvet
Microoft M credential. Thi ehavior wa alo noted  Talo, which wrote a
detailed anali of the pear-phihing email elonging to the ame campaign a
thi watering hole attack. It’ intereting to note that the ack-end erver ued in

http://blog.talosintelligence.com/2017/07/template-injection.html


the attack eem to e written uing the Tornadoerver Pthon framework ued for
uilding we and networking application:

Fig-4 Repone header howing the ack-end erver

In the cae of Turca Petrol, elow i the entire chain of event we oerved during
the crawl:

http://www.tornadoweb.org/en/stable/


Fig-5 The entire chain of event oerved  RikIQ

In and of itelf, thi compromie eem targeted at Turca Petrol and thoe with a
cloe relationhip with the uine, a tactic that mirror other nergetic ear
campaign. entiall, the group’ goal i to influence area of interet to the
Ruian Federation. What we’d like to how, which eem to e miing from the U-
CRT report, i the entire chain of event for thi attack.  

RikIQ found that the M credential harveting hot at 184.154.150.66 i not alwa
directl included on the weite. Intead, the intermediar hot at 103.41.177.58 i
uuall preent on the we page, which, in turn, redirect viitor—mot likel with
ome �ltering to avoid unwanted tra�c—to the M harveting hot. Additionall,
the URL format of the �le requeted, which in thi cae wa turca_icon.png, i not
related to the referring weite. Intead, nergetic ear eem to ue a form of
tagging to correlate an poile victim and their ource weite. The format we
oerved i <tag>_icon.png and <tag>.png.

trategical Compromie for road Targeting

The previou example of the Turca Petrol weite compromie howed peci�c
targeting. While compan-peci�c weite were compromied in thi campaign,

https://community.riskiq.com/search/184.154.150.66
https://community.riskiq.com/search/103.41.177.58


‘general purpoe’ weite were alo amongt the victim. One uch ite i
plantengineering.com which erve a an information and new hu for the critical
infratructure ector.

Fig-6 Another compromied weite linked to the attack

For a few month in earl 2017, thi weite had one of it reource compromied,
likel meaning that nergetic ear operator had road acce to the erver. On the
main page of the weite, a reource load from
/tpo3conf/ext/t3_jlidernew/re/j/jquer.eaing.j a een in our crawl:

Fig-7 Compromied reource

The compromied reource i a modi�ed verion of jQuer aing Javacript lirar.

https://community.riskiq.com/search/www.plantengineering.com
http://gsgd.co.uk/sandbox/jquery/easing/


At the ottom of the cript, we can �nd the M credential harveting link, which i
emedded a an image element in the main page’ DOM:

Fig-8 M credential harveting link

When we go through more of our data for thi ver impli�ed direct image incluion,
we �nd a pattern in the URL and weite. Here are three of our hit:

http://www.plantengineering.com/tpo3conf/ext/t3_jlidernew/re/j/jquer.eaing.j
http://www.cemag.com/tpo3conf/ext/t3_jlidernew/re/j/jquer.eaing.j
http://www.controleng.com/tpo3conf/ext/t3_jlidernew/re/j/jquer.eaing.j

All three URL are the ame, a i the injected content. All the a�ected weite are
new and information weite for the indutrial ector, which indicate a de�nite
pattern. o, who own thee weite? Looking at the WHOI information in
PaiveTotal we �nd plantengineering.com i owned  CF Media LLC:

https://community.riskiq.com/search/www.plantengineering.com
https://community.riskiq.com/search/www.csemag.com
https://community.riskiq.com/search/www.controleng.com
https://community.riskiq.com/search/plantengineering.com


Fig-9 WHOI record for a�ected ite

Reading a it further, we �nd the email addre rourke@cfemedia.com wa ued to
regiter the domain. Pivoting o� thi addre we can ee the ame pattern that we
aw with the URL:

Contact U

https://community.riskiq.com/search/whois/email/srourke@cfemedia.com
https://www.riskiq.com/contact/
https://www.riskiq.com/


Fig-10 Other a�ected ite

From our data, RikIQ found that controleng.com, plantengineering.com, and
cemag.com were all a�ected  the injection from nergetic ear. ecaue the’re
geared toward engineer working in the critical infratructure ector and thu prime
target for thi watering hole attack, the odd are that CF Media’ other weite
were a�ected. In fact, CF Media ha at leat ix con�rmed rand that pulih new
and information:

TR
Y 
U
 
FO

R 
FR


 

CO
N
TA
CT

 U


https://community.riskiq.com/search/controleng.com
https://community.riskiq.com/search/controleng.com
https://community.riskiq.com/search/csemag.com
http://www.cfemedia.com/publishing-brands/
http://www.riskiq.com/products/community-edition/
http://www.riskiq.com/contact


Fig-11 rand a�ected  the nergetic ear campaign

ecaue we tarted eeing nergetic ear’ M-harveting injection at the end of
March and our crawl data from the end of Januar wa till clean, RikIQ ha een
ale to pinpoint the tart of the campaign to etween the eginning of Feruar
and the end March.

Concluion: Don’t Feed the ear

Over the pat few ear,  uppl-chain attack are ecoming more and more
prevalent in the attacker’ portfolio. Javacript can e changed and compromied
without the knowledge of the ite owner, �nding it wa onto a ite when pulic
code wa modi�ed downtream. To prevent thi, ite owner mut have an
undertanding of what elong to their organization, how it’ connected to the ret
of their aet inventor, including inventoring all the third-part code running on
their we aet o the can avoid eing a pawn  operator like nergetic ear.

igning up for RikIQ Communit dition now give ou acce to one of the mot
popular RikIQ product–Digital Footprint. When ou ign up or ign in with our
organizational email addre, ou get a glimpe into our organization’ attack
urface.

To track the full lit of IOC related to thi campaign, viit the RikIQ Communit
Pulic Project.

https://www.riskiq.com/products/community-edition/
https://community.riskiq.com/projects/bd02b44d-5c0a-0b8f-9336-54f509bf191c


Our Product

RikIQ Communit
dition

RikIQ PaiveTotal™

RikIQ Digital
Footprint™

RikIQ Digital
Footprint™ naphot

RikIQ xternal
Threat™

RikIQ I™ (ecurit
Intelligence ervice)

ervice Portfolio

Compare Our Product

RikIQ Digital
Footprint™ Rik

Reporting

ta
Informed

New
Coverage

Pre
Releae

Award

Reource

Aout
RikIQ

Aout U

Career

Contact

upport
Term   Privac

Copright 2016 - 2018 RikIQ

Enter Email to Subscribe to O

SUBMIT

Go to log Home →

hare:

https://www.riskiq.com/products/community-edition/
https://www.riskiq.com/products/passivetotal/
https://www.riskiq.com/products/digital-footprint/
https://www.riskiq.com/products/digital-footprint-snapshot/
https://www.riskiq.com/products/external-threats/
https://www.riskiq.com/products/security-intelligence-services/
https://www.riskiq.com/products/services-portfolio/
https://www.riskiq.com/products/compare-our-products/
http://www.riskiq.com/products/digital-footprint-risk-reporting/
https://www.riskiq.com/news-and-events/news/
https://www.riskiq.com/news-and-events/press/
https://www.riskiq.com/resources/recognition/
https://www.riskiq.com/resources/
https://www.riskiq.com/about/
https://www.riskiq.com/about/careers/
https://www.riskiq.com/contact/
https://www.riskiq.com/resources/support/
https://www.riskiq.com/terms-of-use/
https://www.riskiq.com/privacy-policy/
https://www.riskiq.com/feed/
https://www.linkedin.com/company/riskiq_2
https://www.facebook.com/pages/RiskIQ/555939994512820
https://twitter.com/riskiq
https://www.riskiq.com/blog