A group has launched a new wave of cyberattacks aimed at severely disrupting operations in the European and North American energy sectors, IT security firm Symantec warns.
Dragonfly, a group that has been in operation since at least 2011, has re-emerged over the past two years, the firm said in an official blog posting on September 6. "The Dragonfly group appears to be interested in both learning how energy facilities operate and also gaining access to operational systems themselves, to the extent that the group now potentially has the ability to sabotage or gain control of these systems should it decide to do so," it said.
Symantec said the renewed campaign, which it calls "Dragonfly 2.0," has been underway since December 2015. But the firm has seen a "distinct increase in activity in 2017," it said.
The warning comes amid heightened concerns about cyber vulnerabilities in the power sector worldwide. A cyberattack in December 2015 prompted a swathe of unscheduled power outages afflicting three regional power distribution companies in Ukraine. It was caused by remote cyber intrusions, a U.S. interagency team confirmed last year. A modified version of the Petya ransomware attack at the end of June, meanwhile, shut down radiation monitoring at Ukraine's Chernobyl nuclear site.
A joint report issued by the Department of Homeland Security and the Federal Bureau of Investigation last July warned that hackers have been penetrating computer networks of companies that operate nuclear power plants. Among companies targeted was the Wolf Creek Nuclear Operating Corp. The breaches reportedly originated through spear-phishing, a hacking method that uses legitimate-looking emails to seek unauthorized access to sensitive information. In that case, fake resumes reportedly sent to plant engineers delivered malware to their devices.
The power sector's concerns are rooted in vulnerabilities in their overarching industrial control systems (ICS) network. ICS encompasses several different control systems, including supervisory control and data acquisition (SCADA) systems and other smaller control system configurations.
According to Omer Schneider, CEO and co-founder of CyberX, an ICS threat intelligence firm, the renewed campaign by Dragonfly shouldn't come as a surprise. "It's well-known that there are at least two Russian groups that have been targeting the energy industry for several years, including Sandworm and Energetic Bear (Dragonfly)," he said in a statement to POWER on September 7.
Schneider said that as early as 2014, the Industrial Control Systems Cyber Emergency Response Team, an entity under the Department of Homeland Security, warned that adversaries had penetrated control networks "to perform cyber-espionage."
"Over time the adversaries have gotten even more sophisticated and now they've stolen credentials that give them direct access to control systems in our energy sector," he said. "If I were a foreign power, this would be a great way to threaten the US while I invade other countries or engage in other aggressive actions against US allies."
Dragonfly 2.0 uses a variety of infection vectors to gain access to vulnerable networks, including malicious emails, watering hole attacks, and Trojanized software, Symantec said.
"The earliest activity identified by Symantec in this renewed campaign was a malicious email campaign that sent emails disguised as an invitation to a New Year's Eve party to targets in the energy sector in December 2015," it said. "The group conducted further targeted malicious email campaigns during 2016 and into 2017. The emails contained very specific content related to the energy sector, as well as some related to general business concerns. Once opened, the attached malicious document would attempt to leak victims' network credentials to a server outside of the targeted organization."
IT firm Cisco in July called attention to an email based attack targeting the energy sector using a toolkit called Phishery. That toolkit steals victim's credentials via a template injection attack.
The Dragonfly group's renewed campaign has moved beyond compromising legitimate software to deliver malware to employing an evasion framework to develop Trojanized applications, Symantec warned.
"Symantec also has evidence to suggest that files masquerading as Flash updates may be used to install malicious backdoors onto target networks–perhaps by using social engineering to convince a victim they needed to download an update for their Flash player."
Of more concern is that the Dragonfly 2.0 campaigns show that the attackers may be entering into a new phase, "with recent campaigns potentially providing them with access to operational systems, access that could be used for more disruptive purposes in [the] future," it said.
Symantec advised that because Dragonfly relies heavily on stolen credentials to compromise a network, users, especially those with high privileges, should use passwords of at least eight to 10 characters long.
Other measures should "emphasize multiple, overlapping, and mutually supportive defensive systems to guard against single point failures in any specific technology or protection method." This should include the deployment of regularly updated firewalls as well as gateway antivirus, intrusion detection or protection systems (IPS), website vulnerability with malware protection, and web security gateway solutions throughout the network.
IT departments should also implement and enforce a security policy to encrypt sensitive data, and educate employees on dangers posed by spear-phishing.
"Understanding the tools, techniques, and procedures (TTP) of adversaries through services like DeepSight Adversary Intelligence fuels effective defense from advanced adversaries like Dragonfly 2.0," it added. "Beyond technical understanding of the group, strategic intelligence that informs the motivation, capability, and likely next moves of the adversaries ensures more timely and effective decisions in proactively safeguarding your environment from these threats."
–Sonal Patel is a POWER associate editor (@sonalcpatel, @POWERmagazine)