Hacking Group Targets Energy Sector

A well-organised hacking group is believed to be responsible for conducting a sustained campaign of attacks on industrial control systems in the energy sector in the US and Europe, according to online security firm Symantec.

The group, called ‘Dragonfly’ by Symantec, or ‘Energetic Bear’ by other security companies, targeted energy grid operators, major electricity generation firms, petroleum pipeline operators, and energy industry industrial equipment providers through a number of attack vectors.

Dragonfly has mainly been involved in spying on the organisations it targeted, although Symantec says that it had the ability to sabotage targets as well but does not appear to have used them. The firm added that Dragonfly is still considered an active threat and that it is still continuing to observe active infections.

While most of these have been seen in Europe, Symantec says that there have been detections in Egypt, Iran, Qatar and Arab Emirates. However, these are not active threats and are not functioning at the moment.

Symantec believes that the group was state sponsored, based on the complexity of its methods and tools, and that it was mainly operating from Eastern Europe, based on the timing of its activities.

Dragonfly initially targeted defence and aviation companies in the US and Canada before shifting its focus mainly to US and European energy firms early last year.

The group has used two main malware tools: Backdoor.Oldrea and Trojan.Karagany, both of which are Remote Access Trojans (RATs). The former appears to be a custom piece of malware, either written by or for the attackers.

The group initially began sending malware via phishing emails to senior personnel in target firms, between February and June 2013.

In June 2013, the attackers shifted their focus to watering hole attacks. They compromised a number of energy-related websites likely to be visited by those working in the sector, and injected an iframe into each of them. This iframe redirected visitors to another compromised legitimate website hosting the Lightsout exploit kit. This in turn exploited either Java or Internet Explorer in order to drop Oldrea or Karagany on the victim’s computer.

Symantec said that the fact that the attackers compromised multiple legitimate websites for each stage of the operation is further evidence of strong technical capabilities of the group.

In the third phase of the campaign, Dragonfly was able to compromise three different industrial control system (ICS) equipment providers. The group infected legitimate software bundles from each vendor with the Trojan software, so that customers of the companies would install the Trojans when updating their systems. This attack vector gave Dragonfly a beachhead in the targeted organisations’ networks, Symantec said, but also gave them the means to mount sabotage operations against infected ICS computers.

9 views

Related reading

hanjin-shipping
donald-trump
job
New consumer banking head for Citi Asia Pacific