Dragonfly gang is targeting Western energy industry

Pierluigi Paganini July 02, 2014

Security experts at Symantec have detected a new series of attacks worldwide conducted by the Dragonfly gang on SCADA/ICS in critical infrastructure.

The energy industry is under attack, more than one thousand companies in Europe and North America are constantly under attack.

ICS/SCADA systems are privileged targets of state-sponsored hackers and cyber criminals, last week I wrote of the discovery made by security experts from F-Secure which detected a variant of Havex targeting critical infrastructure.

The attackers conducted watering-hole attacks compromising ICS vendor website, the SCADA vendors targeted by the Havex campaign are based in Germany, Switzerland and Belgium, two of them are suppliers of remote management software for ICS systems and the third one develops high-precision industrial cameras and related software.

Security experts at Symantec discovered a new campaign targeting organization located in the US, Italy, France, Spain, Germany, Turkey, and Poland, the researcher dubbed the bad actors behind the attacks the “Dragonfly” gang.

Dragonfly attacks

The Dragonfly group, also known by other vendors as Energetic Bear, seems to be operating since at least 2011 when it targeted defense and aviation companies in the US and Canada.  Only in a second phase Dragonfly has focused its effort on US and European energy firms in early 2013.

Symantec has immediately informed the victims and national authorities, including Computer Emergency Response Centers (CERTs).

“The attackers, known to Symantec as Dragonfly, managed to compromise a number of strategically important organizations for spying purposes and, if they had used the sabotage capabilities open to them, could have caused damage or disruption to energy supplies in affected countries.” states a blog post from Symantec.

Dragonfly gang hit energy grid operators, major electricity generation firms, petroleum pipeline operators, and energy industry industrial equipment providers with cyber espionage campaign.

The gang could count on different attack vectors, including watering hole attacks, spear-phishing emails and trojanized ICS software updates like the case of Havex RAT.

According to Symantec, the Dragonfly gang is well resourced, it can count on numerous malicious tools to conduct its campaign, the two main malware tools used by attackers are the Backdoor.Oldrea and the Trojan.Karagany

“Its most ambitious attack campaign saw it compromise a number of industrial control system (ICS) equipment providers, infecting their software with a remote access-type Trojan. This caused companies to install the malware when downloading software updates for computers running ICS equipment. These infections not only gave the attackers a beachhead in the targeted organizations’ networks, but also gave them the means to mount sabotage operations against infected ICS computers.” states Symantec.

Differently from the popular Stuxnet virus which was primarily designed for sabotage purpose, the malware used by Dragonfly gangs were designed to allow espionage and persistent access to the targeted systems.

Also in this case the attackers are mainly interested to data exfiltration from targeted industrial systems, the motivation for such attacks is still unclear, but the Symantec team suspects that behind Dragonfly there are state sponsored hackers.

I fear that these cases represent only the tip of the iceberg, many attacks to date have not yet been identified, while the number of attacks is likely to increase.

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(Security Affairs –  SCADA,  Dragonfly)

[adrotate banner=”5″]

[adrotate banner=”13″]

you might also like

leave a comment