A well-organised hacking group is believed to be responsible for conducting a sustained campaign of attacks on industrial control systems in the energy sector in the US and Europe, according to online security firm Symantec.
The group, called ‘Dragonfly’ by Symantec, or ‘Energetic Bear’ by other security companies, targeted energy grid operators, major electricity generation firms, petroleum pipeline operators, and energy industry industrial equipment providers through a number of attack vectors.
Dragonfly has mainly been involved in spying on the organisations it targeted, although Symantec says that it had the ability to sabotage targets as well but does not appear to have used them. The firm added that Dragonfly is still considered an active threat and that it is still continuing to observe active infections.
While most of these have been seen in Europe, Symantec says that there have been detections in Egypt, Iran, Qatar and Arab Emirates. However, these are not active threats and are not functioning at the moment.
Symantec believes that the group was state sponsored, based on the complexity of its methods and tools, and that it was mainly operating from Eastern Europe, based on the timing of its activities.
Dragonfly initially targeted defence and aviation companies in the US and Canada before shifting its focus mainly to US and European energy firms early last year.
The group has used two main malware tools: Backdoor.Oldrea and Trojan.Karagany, both of which are Remote Access Trojans (RATs). The former appears to be a custom piece of malware, either written by or for the attackers.
The group initially began sending malware via phishing emails to senior personnel in target firms, between February and June 2013.
In June 2013, the attackers shifted their focus to watering hole attacks. They compromised a number of energy-related websites likely to be visited by those working in the sector, and injected an iframe into each of them. This iframe redirected visitors to another compromised legitimate website hosting the Lightsout exploit kit. This in turn exploited either Java or Internet Explorer in order to drop Oldrea or Karagany on the victim’s computer.
Symantec said that the fact that the attackers compromised multiple legitimate websites for each stage of the operation is further evidence of strong technical capabilities of the group.
In the third phase of the campaign, Dragonfly was able to compromise three different industrial control system (ICS) equipment providers. The group infected legitimate software bundles from each vendor with the Trojan software, so that customers of the companies would install the Trojans when updating their systems. This attack vector gave Dragonfly a beachhead in the targeted organisations’ networks, Symantec said, but also gave them the means to mount sabotage operations against infected ICS computers.
In today’s digitally connected world, infinite quantities of data are produced by consumers daily at a mind-boggling pace and volume. With under three months left to prepare, here are four areas for businesses to consider, to make sure they are ready for GDPR implementation.
Cash-flow based metrics now feature prominently alongside traditional revenue measures of business performance in the key figures or financial summary pages of any public company.
GTNews asks Pugsley about what advice she would give to treasurers dealing with mergers and acquisitions, what the key challenges for her year ahead will be and how she is selecting a treasury management system (TMS).
The US money market fund reforms came into effect in 2016 and are already dramatically shaping US fund industry with investors flooding out of prime funds and into government securities. While the reforms are similar, they are not the same. GTNews interviews Yeng Bulter, global head of the cash business at State Street Global Advisors on the differences.