Researchers claim a threat group they call Dragonfly 2.0 has been performing social attacks in order to infiltrate...
systems connected to critical energy infrastructure.
Symantec has been tracking a group they named Dragonfly since 2011, but Symantec claims the group started a new campaign in 2015 using new tactics and attack methods against organizations related to the energy industry, leading to the new designation of Dragonfly 2.0.
"The original Dragonfly campaigns now appear to have been a more exploratory phase where the attackers were simply trying to gain access to the networks of targeted organizations," Symantec wrote in its analysis. "The Dragonfly 2.0 campaigns show how the attackers may be entering into a new phase, with recent campaigns potentially providing them with access to operational systems, access that could be used for more disruptive purposes in future."
Moreno Carullo, co-founder and CTO of Nozomi Networks, an ICS security company based in San Francisco, said that originally the group targeted pharmaceutical firms, while "Dragonfly 2.0 appears to have been weaponized to specifically target industrial control systems (ICS) field devices, and then feeds that information back to the command and control server, which will be monitored by the attackers."
"Rather than installing immediately on infection this latest iteration of Dragonfly bides its time, waiting eleven days before automatically installing a backdoor," Carullo told SearchSecurity. "Using this new entrance, the attacker can then install or download applications to infected computers, particularly targeting Windows XP with known vulnerabilities, and even circumventing permission restrictions on user accounts."
Symantec said it had observed Dragonfly 2.0 sending malicious emails and using watering hole attacks to gather network credentials, then using those stolen credentials in follow-up attacks against targeted organizations involved in the energy sector.
"In 2014, Symantec observed the Dragonfly group compromise legitimate software in order to deliver malware to victims, a practice also employed in the earlier 2011 campaigns. In the 2016 and 2017 campaigns the group is using the evasion framework Shellter in order to develop trojanized applications. In particular, Backdoor.Dorshel was delivered as a trojanized version of standard Windows applications," Symantec explained in a blog post. "Symantec also has evidence to suggest that files masquerading as Flash updates may be used to install malicious backdoors onto target networks -- perhaps by using social engineering to convince a victim they needed to download an update for their Flash player."
Symantec said it's clear "that Dragonfly is a highly experienced threat actor," but said there wasn't enough evidence to know if it is a nation-state group or even from where the group originates.
Dragonfly 2.0 succeeding with old exploit methods
Leigh-Anne Galloway, cybersecurity resilience officer at Positive Technologies, an enterprise security company based in Framingham, Mass., said it was interesting that the group was making so much headway by using "relatively unsophisticated methods."
Leigh-Anne Gallowaycybersecurity resilience officer, Positive Technologies
"Usually with [supervisory control and data acquisition (SCADA)], the tactic of choice is to exploit zero-day vulnerabilities. In this case though, they've chosen to go for the older, but most effective methods of phishing and watering holes to get in," Galloway told SearchSecurity. "As old as these techniques might be, this blunt instrument is proved as effective as ever, relying on the age-old ally of cyber criminals: human fallibility. These hackers have bet that, in spite of the critical importance of the systems, the people using them don't have the security wherewithal to think before clicking on a link or opening an attachment. And in this case, they were right. In SCADA networks, the implications are life-threatening, to personnel and the general public, and attackers could cause a short circuit disrupting safety mechanisms, or cause a complete outage."
Ken Spinner, vice president of field engineering at Varonis, agreed that it was "significant and startling that the attacks being attributed to Dragonfly 2.0 began with spearphishing emails."
"The notion that there may be nation-state or rogue actors who have been resident in the networks of nuclear facilities, electrical grids, and dams isn't far-fetched. Many of these infrastructure providers are relying on outdated security systems with limited detection capabilities," Spinner told SearchSecurity. "We've seen malware impact energy systems dating as far back as 2003, when the Microsoft SQL Server Worm, Slammer, infected an Ohio-based nuclear power plant network in 2003, causing a temporary outage. The key difference today is that attackers are equipped with far more sophisticated malware that is designed specifically to infiltrate and damage things like electricity substation switches and circuit breakers.
The dangers of persistent ICS attacks
Omer Schneider, CEO and co-founder of CyberX, an ICS security company based in Framingham, Mass., said no one should be surprised by these findings.
"As early as 2014, the ICS-CERT warned that adversaries had penetrated our control networks to perform cyberespionage. Over time the adversaries have gotten even more sophisticated and now they've stolen credentials that give them direct access to control systems in our energy sector," Schneider told SearchSecurity. "If I were a foreign power, this would be a great way to threaten the U.S. while I invade other countries or engage in other aggressive actions against U.S. allies."
Spinner said it is especially dangerous when an advanced persistent threat (APT) group like Dragonfly 2.0 sets up shop on a network.
"APTs will try to remain undetected as long as possible to do the most damage. Attackers will often establish numerous footholds within a network and attempt to remain undetected while mapping systems and locating key documents, emails and user accounts," Spinner said. "One of the most effective defenses against large scale cyberattacks on critical infrastructure is to establish separate, air-gapped networks that provide a physical line of defense. Separating core power systems from each other and the greater Internet can help mitigate attacks."
Learn how the CrashOverride malware targets industrial control systems
Find out more about the security challenges for industrial control systems
Read about how the WannaCry attacks affected ICS networks