Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

9/15/2014
09:00 AM
Dark Reading
Dark Reading
Products and Releases
50%
50%

Belden Research Reveals Dragonfly Malware Likely Targets Pharmaceutical Companies

New report "Defending Against the Dragonfly Cyber Security Attacks, Part A - Identifying the Targets" published.

ST. LOUIS--(BUSINESS WIRE)--

Belden Inc. (BDC), a global leader in signal transmission solutions for mission-critical applications, today releases new research that shows the recently revealed Dragonfly (Havex) malware is likely targeting the pharmaceutical sector, not the energy sector as previously believed. Until now, advanced cyberattacks against industry have focused on the critical energy and chemical sectors. Manufacturing management teams are advised to update their risk assessments and ensure that their cyber security defenses can withstand what are clearly highly coordinated attacks by teams of professional hackers.

The new report, entitled “Defending Against the Dragonfly Cyber Security Attacks, Part A – Identifying the Targets” is the first of four from Belden and investigates the victims, methods and consequences of the Dragonfly cyberattack campaign. The series will close with an analysis of what defenses have proven to be either effective or ineffective against Advance Persistent Threats (APTs), including Dragonfly. Many of the suggested actions are distinct from current common security practices.

Over the past few years, industrial infrastructure has been identified as a key target for hackers and government-sponsored warfare, attracting some of the most sophisticated cyberattacks on record, including Stuxnet, Flame and Duqu. Dragonfly is significant because it is first one of the advanced attacks since Stuxnet to have payloads that target specific industrial control system (ICS) components.

Given the importance of that finding, Belden commissioned Joel Langill of RedHat Cyber, a leading independent ICS security expert, to research Dragonfly in more depth. The objective was to understand the Dragonfly campaign in order to provide the best possible advice to customers for defending against advanced malware threats.

Langill’s detailed review of Dragonfly focused on executing the malicious code on systems that reflect real world ICS configurations and observing the malware’s impact. Three main factors led him to believe the target is the intellectual property of pharmaceutical organizations:

1. Out of thousands of possible ICS suppliers, the three companies targeted for trojanized software were not primary suppliers to “energy” facilities. Instead, all three offered products and services most commonly used by the pharmaceutical industry.

2. The Dragonfly attack is very similar in nature to another campaign called Epic Turla and is likely managed by the same team. Epic Turla has been shown to have targeted the intellectual property of pharmaceutical companies.

3. The Dragonfly malware contained an Industrial Protocol Scanner module that searched for devices on TCP ports 44818 (Omron, Rockwell Automation), 102 (Siemens) and 502 (Schneider Electric). These protocols and products have a higher installed base in packaging and manufacturing applications typically found in consumer packaged goods industries, such as pharmaceutical rather than the energy industry.

“My research, coupled with my knowledge of the pharmaceutical industry, led me to conclude that it was the target of Dragonfly,” remarked Langill. “The potential damage could include the theft of proprietary recipes and production batch sequence steps, as well as network and device information that indicate manufacturing plant volumes and capabilities.”

Eric Byres, CTO of Tofino Security, a Belden Brand, and a world authority on industrial cyber security commented: “The interesting thing about Dragonfly is that it targeted ICS information not for the purpose of causing downtime, but for the purpose of intellectual property theft, likely for the purpose of counterfeiting. CIOs and other executives need to know about this attack and be assured that there are techniques and products available to defend against it.”

“Security researchers and hackers have identified numerous vulnerabilities in the products used in industrial operations. Post Dragonfly, it is important that manufacturing companies secure core ICS through up-to-date best practice policies and industrially focused security technologies,” said Byres. “We know now that Stuxnet and Flame remained hidden in their target networks for years – by the time worms like these do damage or steal trade secrets, it is too late to defend against them.”

Download the white paper “Defending Against the Dragonfly Cyber Attacks, Part A – Identifying the Targets.”

Updates on the availability of all parts of the white paper are available at the Dragonfly Industrial Cyber Security Updates webpage.

About Belden

Belden Inc., a global leader in high-quality, end-to-end signal transmission solutions, delivers a comprehensive product portfolio designed to meet the mission-critical network infrastructure needs of industrial, enterprise and broadcast markets. With innovative solutions targeted at reliable and secure transmission of rapidly growing amounts of data, audio and video needed for today’s applications, Belden is at the center of the global transformation to a connected world. Founded in 1902, the company is headquartered in St. Louis and has manufacturing capabilities in North and South America, Europe and Asia. For more information, visit us at www.belden.com; follow us on Twitter @BeldenInc.

About Joel Langill and RedHat Cyber

Joel Langill is an independent security researcher, consultant, creator of the website SCADAhacker.com, and founder of RedHat Cyber. He approaches cyber security in a fashion similar to industrial functional safety and his services help companies improve the security and reliability of their automation and SCADA systems. Clients include end users, owner/operators, engineering contractors, system integrators, distributors, security partners and control system vendors around the globe. www.redhatcyber.comwww.scadahacker.com

Belden, Belden Sending All The Right Signals, Hirschmann, GarrettCom, Tofino Security and the Belden logo are trademarks or registered trademarks of Belden Inc. or its affiliated companies in the United States and other jurisdictions. Belden and other parties may also have trademark rights in other terms used herein.

 

Contact:
Belden
Berry Medendorp, +31 77 387 8555
[email protected]
or
Standing Partnership
Lindsay Auer, 314-287-6355
[email protected]

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Why Cyber-Risk Is a C-Suite Issue
Marc Wilczek, Digital Strategist & CIO Advisor,  11/12/2019
DevSecOps: The Answer to the Cloud Security Skills Gap
Lamont Orange, Chief Information Security Officer at Netskope,  11/15/2019
Attackers' Costs Increasing as Businesses Focus on Security
Robert Lemos, Contributing Writer,  11/15/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-5118
PUBLISHED: 2019-11-18
A Security Bypass Vulnerability exists in TBOOT before 1.8.2 in the boot loader module when measuring commandline parameters.
CVE-2019-12422
PUBLISHED: 2019-11-18
Apache Shiro before 1.4.2, when using the default "remember me" configuration, cookies could be susceptible to a padding attack.
CVE-2012-4441
PUBLISHED: 2019-11-18
Cross-site Scripting (XSS) in Jenkins main before 1.482 and LTS before 1.466.2 allows remote attackers to inject arbitrary web script or HTML in the CI game plugin.
CVE-2019-10764
PUBLISHED: 2019-11-18
In elliptic-php versions priot to 1.0.6, Timing attacks might be possible which can result in practical recovery of the long-term private key generated by the library under certain conditions. Leakage of a bit-length of the scalar during scalar multiplication is possible on an elliptic curve which m...
CVE-2019-19117
PUBLISHED: 2019-11-18
/usr/lib/lua/luci/controller/admin/autoupgrade.lua on PHICOMM K2(PSG1218) V22.5.9.163 devices allows remote authenticated users to execute any command via shell metacharacters in the cgi-bin/luci autoUpTime parameter.