Symantec is warning of a resurgence in cyber-attacks against firms in the energy sector by a group of hackers it calls Dragonfly.
Dragonfly maintained a low profile for more than a year following exposure by Symantec and other researchers back in 2014 before a series of attacks over the last two years since December 2015. The group is blamed by the security researchers for recent attacks on energy companies in Europe and the US, with highly sophisticated attempts to control – or even sabotage – operational systems at energy facilities.
This "Dragonfly 2.0" campaign, which appears to have begun in late 2015, shares tactics and tools used in earlier campaigns by the group that first began in 2011, according to Symantec. Activities associated with the group have kicked up a gear this year.
The energy sector has become a focus of attacks by state-sponsored hackers over the last two years. Cyber attacks have been blamed for disruptions to Ukraine's utilities that led to power outages affecting hundreds of thousands of people. In recent months, there have also been reports of attempted attacks on the electricity grids of Western countries, mostly driven through phishing attacks and aimed at reconnaissance or gaining a foothold in targeted networks rather than immediate disruption. Targets included energy firms in the UK, Ireland and the US, as previously reported.
Symantec doesn't finger Russia in its report. But the US Department of Homeland Security claimed Dragonfly was a Kremlin op in a report last year (pdf). Symantec confines itself to describing the group as "highly capable" and pointing out conflicting evidence for attribution such as the presence of both French and Russian language in code strings found in malware associated with the attacks.
The value in Symantec's work is providing more detail rather than flagging up a previously unknown campaign.
"The Dragonfly group appears to be interested in both learning how energy facilities operate and also gaining access to operational systems themselves, to the extent that the group now potentially has the ability to sabotage or gain control of these systems should it decide to do so," Symantec warns.
Symantec has strong indications of attacker activity in organisations in the US, Turkey, and Switzerland, with traces of activity in organisations outside of these countries. The U.S. and Turkey were also among the countries targeted by Dragonfly in its earlier campaign, though the focus on organisations in Turkey does appear to have increased dramatically in this more recent campaign.
As it did in its prior campaign between 2011 and 2014, Dragonfly 2.0 uses a variety of infection vectors in an effort to gain access to a victim’s network, including malicious emails, watering hole attacks, and Trojanized software.
The initial vector of the attacks is spear phishing emails posing as anything from an invitation to a New Year's Eve party to specific content related to the energy sector and general business concerns. Once opened, the attached malicious document would attempt to leak victims' network credentials to a server outside of the targeted organisation.
Cisco recently blogged about email-based attacks targeting the energy sector using a toolkit called Phishery. Dodgy emails spotted by Symantec also used the Phishery toolkit to steal victims' credentials via a template injection attack. The toolkit became generally available on GitHub in late 2016.
"As well as sending malicious emails, the attackers also used watering hole attacks to harvest network credentials, by compromising websites that were likely to be visited by those involved in the energy sector," Symantec reports.
The stolen credentials were then used in follow-up attacks against the target organisations. In one instance, after a victim visited one of the compromised servers, the Goodor backdoor was installed on their machine via PowerShell 11 days later.
Symantec also has evidence to suggest that files masquerading as Flash updates may be used to install malicious backdoors onto target networks, probably after tricking users using social engineering attacks. Such attacks falsely claim a Flash update is necessary to view content.
An outline of the Dragonfly group's most recent activities [source: Symantec blog post]
Various factors link the latest run of attacks with earlier Dragonfly campaigns. In particular, the Heriplor and Karagany Trojans used in Dragonfly 2.0 were both also used in the earlier Dragonfly campaigns between 2011 and 2014. Heriplor is a backdoor that appears to be exclusively used by Dragonfly, Symantec reports. The Karagany Trojan was leaked on underground markets, so its recent use by Dragonfly is not necessarily exclusive.
The latest assaults on energy sector targets go beyond those associated with previous campaigns, Symantec warns.
The original Dragonfly campaigns now appear to have been a more exploratory phase where the attackers were simply trying to gain access to the networks of targeted organisations. The Dragonfly 2.0 campaigns show how the attackers may be entering into a new phase, with recent campaigns potentially providing them with access to operational systems, access that could be used for more disruptive purposes in future.
Andrew Clarke, EMEA director at security vendor One Identity, said: "Studies in the US report that cyber-attacks are a constant and daily occurrence on utility companies with some facilities receiving upwards of 10,000 attempted cyber-attacks each month – which equates to one attack every four minutes."
Segmenting networks with firewalls, improved access controls and patching are needed to better defend infrastructure sector firm from potential attack, he added. ®