Anonymous Reportedly Hacked Russian Energy Firm RosneftReport: Business Operations Unaffected, Despite Some Disruption
International hacking collective Anonymous on Monday hacked the German subsidiary of Russian energy company Rosneft, die Welt newspaper says, citing the country's cybersecurity watchdog, the Federal Office for Information Security.
While a Twitter account called Anonymous tweeted about the attack, Information Security Media Group could not independently verify the claim.
Anonymous attacks the Rosneft energy company. It is currently Russia's largest oil producer and is involved in critical infrastructure in Germany.https://t.co/rKCpOLuMT9— Anonymous (@LatestAnonPress) March 14, 2022
The Federal Office for Information Security also reportedly confirmed to the German newspaper that the alleged victim company had reported an IT security incident on Friday night or early Saturday morning. The agency then issued a cybersecurity warning to other companies in the energy sector, it says.
A spokesperson for Rosneft was not immediately available to comment on the story.
Offering an overview of the historical impact of this news, Toby Lewis, head of threat analysis at cybersecurity firm Darktrace, says that Germany has relied on Russian exports of oil and gas in the past, and many were surprised when the country made the decision to halt the Nord Stream 2 pipeline at the outbreak of war.
"However, Rosneft in Germany doesn't appear to be involved in oil and gas imports and exports. It is instead more about refining and internal distribution, and according to Anonymous, this still generates a profit for the Russian parent company and thus is a valid target," he tells ISMG.
Impact on Business
The German branch of Anonymous seems to have infiltrated the German subsidiary of Russia’s state oil company Rosneft, stealing over 20 TB of data, Lewis says, citing unspecified reports.
The die Welt newspaper, however, reported that the attack did not affect any business operations at Rosneft, although it says some systems were affected and various processes were disrupted.
As proof of disruption the hacktivist group posted screenshots that show wiped corporate iPhones and at least one file server, Lewis tells ISMG.
The exact modus operandi of the group is not yet known, but the attackers reference weak and easily guessed iPhone passwords and the use of FTP to exfiltrate data without detection, Lewis says. These are not sophisticated or novel methods.
Rosneft's international website has also been attacked and "paralyzed" since the end of February, the German newspaper said. ISMG could not access the website.
Lewis says that the problem with critical environments is that they do not fail gracefully, and there is no option of reverting to pen and paper.
"The urgent challenge for defenders of critical national infrastructure globally is to be able to interrupt attacks once they get inside, before normal business operations are disrupted and before widespread shutdowns," he says.
James McQuiggan, security awareness advocate at KnowBe4, says that in this case, Anonymous is targeting the oil refineries to collect information and damage the brand and reputation of the organization to bring to light the relationship between the organization's leaders and Russia. He tells ISMG that the hacktivist group will most likely try to leverage the data in future actions but will not share it publicly, unlike other cybercriminal groups who would extort the organization for money.
Last week, Anonymous said it had hacked Russian censorship agency Roskomnadzor, releasing 364,000 files it said show intensified censorship around the perception of the Ukraine invasion (see: Anonymous Reportedly Hacks Russian Censorship Agency).
The conflict in Ukraine has emboldened independent individuals and groups looking to take potshots at Russian entities, says John Bambenek, principal threat hunter at digital IT and security operations firm Netenrich.
Regarding the reported Rosneft incident, he tells ISMG: "It is no surprise that an affiliate of a Russian energy company was hit. That said, it’s important to note that the 'Anonymous' moniker less represents a specific group of people and is more of independent actors assuming the moniker and spirit for a little payback on Uncle Vlad."
And the conflict has spread to the underground, with Anonymous declaring a full cyberwar on Russia late last month. Almost immediately, the group claimed to have hacked websites connected to the Russian government, state media and banks (see: Anonymous Extends Its Russian Cyberwar to State-Run Media).
Anonymous has also reportedly hit the government website for Chechnya, a Russian republic that has vowed military support for Russia.
It also claims to have leaked more than 200GB of emails from the Belarusian weapons manufacturer Tetraedr and claimed credit for hacking Russian ISPs.
Anonymous says its other Russian targets include state-run media agencies Tass, Izvestia, Fontaka, RBC and Kommersant.