Hacking group makes sustained attacks on energy sector
Dragonfly targetted spying attacks on grid operators, electricity generation companies, industrial equipment vendors
A well-organised hacking group is believed to have carried out a sustained campaign of attacks on industrial control systems in the energy sector in the US and Europe, according to Symantec.
The group, called ‘Dragonfly' by Symantec, or ‘Energetic Bear' by other security companies, targetted energy grid operators, major electricity generation firms, petroleum pipeline operators, and energy industry industrial equipment providers through a number of attack vectors.
Dragonfly has mainly been involved in spying on the organisations it targeted, although Symantec says that it had the ability to sabotage targets as well but does not appear to have used them. The security company said that Dragonfly is still considered an active threat and that it is still observing active infections as of today. While most of the infections have been seen in Europe, Symantec says that there have been detections in Egypt, Iran, Qatar and Arab Emirates, however, these are not active threats and are not functioning at the moment.
Symantec believes that the group was state sponsored, based on the complexity of its methods and tools, and that it was mainly operating from Eastern Europe, based on the timing of its activities.
Dragonfly initially targeted defence and aviation companies in the US and Canada before shifting its focus mainly to US and European energy firms in early 2013.
The group has used two main malware tools: Backdoor.Oldrea and Trojan.Karagany, both of which are Remote Access Trojans (RATs). The former appears to be a custom piece of malware, either written by or for the attackers.
The group initially began sending malware in phishing emails to senior personnel in target firms, between February and June 2013.
In June 2013, the attackers shifted their focus to watering hole attacks. They compromised a number of energy-related websites that were likely to be visited by those working in the sector, and injected an iframe into each of them. This iframe then redirected visitors to another compromised legitimate website hosting the Lightsout exploit kit. This in turn exploited either Java or Internet Explorer in order to drop Oldrea or Karagany on the victim's computer. Symantec said that the fact that the attackers compromised multiple legitimate websites for each stage of the operation is further evidence of strong technical capabilities of the group.
In the third phase of the campaign, Dragonfly was able to compromise three different industrial control system (ICS) equipment providers. The group infected legitimate software bundles from each vendor with the Trojan software, so that customers of the companies would install the Trojans when updating their systems. This attack vector gave Dragonfly a beachhead in the targeted organisations' networks, Symantec said, but also gave them the means to mount sabotage operations against infected ICS computers.