Energy companies, including those involved in electricity and oil production, are the targets of a new cyber-espionage and sabotage campaign called Dragonfly.
Symantec reports that on-going cyber-espionage campaign against a range of targets, mainly in the energy sector, gave attackers the ability to mount sabotage operations against their victims.
“The attackers, known to Symantec as Dragonfly, managed to compromise a number of strategically important organisations for spying purposes and, if they had used the sabotage capabilities open to them, could have caused damage or disruption to energy supplies in affected countries,” the company reports on its official blog.
Among the targets of Dragonfly were energy grid operators, major electricity generation firms, petroleum pipeline operators, and energy industry industrial equipment providers. The majority of the victims were located in the US, Spain, France, Italy, Germany, Turkey and Poland.
“The Dragonfly group is well resourced, with a range of malware tools at its disposal and is capable of launching attacks through a number of different vectors,” Symantec says.
“Its most ambitious attack campaign saw it compromise a number of industrial control system (ICS) equipment providers, infecting their software with a remote access-type Trojan. This caused companies to install the malware when downloading software updates for computers running ICS equipment.
“These infections not only gave the attackers a beachhead in the targeted organizations’ networks, but also gave them the means to mount sabotage operations against infected ICS computers.”
Stuxnet was the first known major malware campaign to target ICS systems. While Stuxnet was narrowly targeted at the Iranian nuclear program and had sabotage as its primary goal, Dragonfly appears to have a much broader focus with espionage and persistent access as its current objective with sabotage as an optional capability if required.
Symantec reports that, in addition to compromising ICS software, Dragonfly has used spam email campaigns and watering hole attacks to infect targeted organizations. The group has used two main malware tools: Back_door.Oldrea and Trojan.Karagany. The former appears to be a custom piece of malware, either written by or for the attackers.
Prior to publication, Symantec notified affected victims and relevant national authorities, such as Computer Emergency Response Centres (CERTs) that handle and respond to Internet security incidents.
Symantec believes the Dragonfly group, which is also known by other vendors as Energetic Bear, may have been in operation since at least 2011 and may have been active even longer than that. Dragonfly initially targeted defence and aviation companies in the US and Canada before shifting its focus mainly to US and European energy firms in early 2013.
The campaign against the European and American energy sector quickly expanded in scope. The group initially began sending malware in phishing emails to personnel in target firms. Later, the group added watering hole attacks to its offensive, compromising websites likely to be visited by those working in energy in order to redirect them to websites hosting an exploit kit. The exploit kit in turn delivered malware to the victim’s computer.
The third phase of the campaign was the Trojanising of legitimate software bundles belonging to three different ICS equipment manufacturers.
“Dragonfly bears the hallmarks of a state-sponsored operation, displaying a high degree of technical capability,” Symantec blogs. “The group is able to mount attacks through multiple vectors and compromise numerous third party Web sites in the process. Dragonfly has targeted multiple organisations in the energy sector over a long period of time. Its current main motive appears to be cyber-espionage, with potential for sabotage a definite secondary capability.”