Dragonfly, a group that infamously targeted the international energy sector from 2011-2014, appears to be back with a vengeance.
The international energy sector has been a frequent target of cyberattacks, and a shadowy group known as Dragonfly have been recurrent perpetrators — highly active in 2011 to 2014, the syndicate appeared to have vanished — but investigations by cybersecurity giant Symantec have found the group has once again been waging campaigns against European and North American energy giants.
Dragonfly’s renewed efforts appear to have begun late 2015, using methods and tools used in earlier campaigns, and some entirely novel tactics.
The group is seemingly interested in both learning how energy facilities operate, and gaining access to operational systems themselves, and now potentially has the ability to sabotage or gain control of these systems when and if it decides to do so.
Key targets are organizations in the US, Turkey and Switzerland. The US and Turkey were among the key countries targeted by Dragonfly in earlier efforts, but the focus on Turkey has increased dramatically in the latest wave of their campaign.
As it did in its prior campaign between 2011 and 2014, Dragonfly are using a variety of infection vectors in an effort to gain access to target networks, including malicious emails, watering hole attacks, and Trojan software.
Malicious Party Invites
The earliest activity identified by Symantec in this renewed attack was a malicious email campaign, in which bogus New Year’s Eve party invitations were dispatched to targets in the energy sector in December 2015.
The group conducted further targeted malicious email campaigns during 2016 and into 2017, with emails containing both specific content related to the energy sector, as well as general business concerns.
Once opened, attached malicious documents would leak victims’ network credentials to a server outside the targeted organization.
In July, network software firm Cisco blogged about email-based attacks targeting the energy sector using a toolkit called Phishery.
Some of the Dragonfly emails sent in 2017 have also used this toolkit to steal victims’ credentials via a template injection attack.
Watering Hole Attacks
As well as sending malicious emails, attackers also used watering hole attacks to harvest network credentials, compromising websites likely to be visited by those involved in the energy sector.
The stolen credentials were then used in followup attacks against target organizations, via Backdoor.Goodor, which provides attackers with remote access to a victim’s machine.
In 2014, Symantec observed Dragonfly compromise legitimate software in order to deliver malware to victims, a practice also employed in its 2011 campaigns. In the 2016 and 2017 campaigns, the group is using evasion framework Shellter in order to develop Trojanized applications. In particular, Backdoor.Dorshel was delivered as a trojanized version of standard Windows applications.
There is also evidence to suggest files masquerading as Flash updates may be used to install malicious backdoors on target networks, perhaps by using social engineering to convince a victim they needed to download an update for their Flash player.
Shortly after visiting specific URLs, a file named “install_flash_player.exe” was seen on victims’ computers, followed shortly by the Trojan.Karagany.B backdoor.
Typically, attackers install one or two backdoors onto victim computers to give them remote access, and allow them to install additional tools if necessary.
The Unspoken Danger
Energy and utility organizations have been high-profile targets for hackers, cyberterrorists and foreign governments for years.
Such entities are perhaps ideal victims, as they are often comparatively vulnerable targets that can cause mass disruption, if successfully attacked.
However, attacks on the energy and utility sector are often kept confidential, unlike data breaches suffered by retailers and other consumer-facing organizations that must be publicized to alert customers that their information may have been stolen.
Stuxnet: When a Virus Attacked a Nuclear Plant
Despite this secrecy, there are numerous publicly documented instances — most notably, in 2010 a computer worm called Stuxnet was discovered by researchers in Belarus.
The digital warhead had been created by the US and Israel to derail Iran’s nuclear program, an objective in which it apparently succeeded. The worm infected the computers of contractors who passed on the virus to computers at a vital centrifuge in Iran.
Russian leader Vladimir Putin and Iranian President Hassan Rouhani both condemned the use of Stuxnet in March this year, after a US general admitted to lying about it during a federal investigation.
“The sides have denounced the attempts of using force or the threat of force in the information space, such as an attack on Iranian nuclear facilities with the help of the Stuxnet malware, and also any attempts to involve information and communication techniques for harmful purposes,” a statement by both countries stated.
There are clear indications the sector is extremely worried about these threats.
A 2016 survey of 150 IT professionals in the natural gas, electricity and oil sectors revealed cyberattacks are very common with over 75 percent of respondents stating their companies had suffered at least one attack during the previous year in which intruders breached a minimum of one firewall, antivirus software or other safeguards.
Moreover, almost 50 percent stated known cyberattacks in their industry had increased during the previous 12 months, and over 80 percent believed major breach damaging critical infrastructure was looming on the horizon.