VKG hit by cyberespionage

Lennart Ruuda
, reporter
Please note that the article is more than five years old and belongs to our archive. We do not update the content of the archives, so it may be necessary to consult newer sources.
Photo: Toomas Huik

Servers of one of Estonia's biggest oil shale companies Viru Keemia Grupp (VKG) hosted malware associated with Russian foreign military intelligence GRU.

Suspicious traffic was monitored in the company's network last year that led to the discovery of Mimikatz software used to collect identity keys, like passwords and password hashes, in Windows systems. The inspection also came across backdoor software used to connect to a control server, a report by the State Information System Authority reveals.

„The existence of this malware allows an attacker to access information stored in the system and meddle in management of services, for example production facilities,“ said Deputy Director of RIA Toomas Vaks. He said that VKG is a company of considerable regional importance that offers a vital service. „RIA is tasked with the cybersecurity of vital services in Estonia, and we take these kinds of incidents very seriously,“ he said. „Cyberattacks against vital services, like the assault on Ukraine's power grid during Christmas of 2015, could endanger the property, health, and lives of hundreds of thousands of people,“ Vaks added.

„Luckily we have no information to suggest the incident at VKG directly jeopardized the functionality of a vital service; however, such a scenario cannot be ruled out in a situation where potential attackers have access to control systems.“ RIA said that both VKG's web traffic and pieces of malware found in computers suggest an orchestrated attack. The malware and control server used have been associated with cyberespionage group APT28, which cyberespionage circles believe could be linked to GRU.

„It is possible this particular software is also used by cybercriminals. However, RIA has no information regarding the persons and motives behind the attack, whereas providing such assessments isn't our task,“ Vaks said.

CEO of VKG Ahti Asmann said when commenting on the incident that the attack was in no way active and did not affect the company's work. „It is just a question of risks and their potential materialization. However, that is a comment you will have to get from the information system watchdog,“ Asmann said. He could not say why the company's servers could have been infected with the malware. „There is always something going on in our field, and new dangers crop up. We have identified these things by today and will move on with our work,“ he said.