Attacks/Breaches

9/6/2017
03:45 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

'Dragonfly' APT Now Able to Disrupt US Power Grid Operations, Symantec Warns

Recent attacks on energy sector targets suggest Dragonfly group has access to computers that control operational systems.

Concerns about the vulnerability of the US energy sector to cyberattacks resurfaced in a major way this week with a ominous warning from security firm Symantec about threat actors gaining the ability to potentially access and sabotage critical control systems.

In a report, Symantec said it has evidence showing that a previously known group it has dubbed Dragonfly has been carrying out a series of cyberattacks on energy sector targets in the US, Turkey, and Switzerland. Dragonfly, aka Energetic Bear out of Russia, has been associated with attacks on hundreds of organizations in the industrial, manufacturing, pharmaceutical, education, and construction sectors around the world since at least 2011.

The attacks have been going on since at least December 2015 and appear designed to gain access to systems used for power grid operations. Available evidence suggests that the intruders already have control of computers that have full access to such operational systems and thereby have the ability to disrupt them in future, Symantec said.

The latest wave of attacks suggests that the Dragonfly group has moved to a second, and markedly more dangerous phase in its operations. 

In the past, Dragonfly's attacks on power grid companies appeared to be focused on information gathering and learning how energy facilities operated. With the new attacks — which Symantec has christened Dragonfly 2.0 — the group seems to be applying that knowledge to try and gain access to operational systems in order to sabotage them.

The original Dragonfly campaign appears to have been exploratory in nature, while the new wave seems focused both on intelligence gathering and gaining access to operational systems, says Jon DiMaggio, senior threat intelligence analyst with Symantec Security Response.

"There is only so much information that would be useful to an attacker from an energy-related victim," DiMaggio says. "If not for financial gain or to steal intellectual property, then it is likely the attacker's access would be to provide a strategic or military advantage. Turning off the power would do just that."

Cyberattacks on critical infrastructure targets have been a major concern in recent years. The 2012 Stuxnet attacks on Iran's uranium enrichment facility in Natanz was the first to demonstrate how malware could be used to cause massive physical damage to critical control equipment.

Those concerns came into sharp focus again in late 2015 and a year later in December 2016 when a series of cyberattacks caused widespread power outages in Ukraine. Some vendors have blamed the 2015 attacks on a Russian threat actor named Sandworm, which is believed to have infected systems at a power plant in the country with a disk-erasing tool delivered via the BlackEnergy Trojan.

Earlier this year, security researchers at ESET and Dragos identified the malware used in the 2016 attack in Ukraine as Industroyer or CrashOverride, developed by a threat group they dubbed ELECTRUM.

The two firms described the malware as custom designed to sabotage electric grid operations by taking advantage of a widely used communication protocol in industrial control systems. The malware was capable of working against equipment from any vendor so long as the systems used the vulnerable protocol.

In contrast to the sophisticated malware used in these previous campaigns, the malware used in the Dragonfly 2.0 attacks are more run-of-the-mill tools that appear to have been deliberately chosen to avoid attention and attribution.

"The attackers were observed living off the land to avoid detection and using multiple publicly available tools and resources making detection more difficult than the previous campaign," DiMaggio notes. Examples of such tools included PowerShell, Bitsadmin, and PsExec.

In some instances, the attackers have also been delivering backdoors and other malware using Flash updates and Trojanized versions of Windows applications such as MS Calc, Crash Reporter, and TCPview, he adds. The typical methods for distributing the malware have included spear phishing emails and watering hole attacks.

So far, Symantec has not observed any 0-day vulnerabilities or exploits being used in the Dragonfly 2.0 campaign. Some of the code strings in the malware used in the attacks have been in Russian while others have been in French, which suggests a deliberate attempt by the group to confuse security researchers about its origins, the security vendor said.

Galina Antova, co-founder of Claroty, says that reports about Russian actors being behind the Dragonfly 2.0 campaign are more than plausible. "This adversary has already taken down the Ukrainian power grid twice - in December 2015 and 2016," Antova says. "In addition to causing harm to Ukraine, these attacks may well have been a training ground for attackers that were practicing their tradecraft and building malware tools that can be used later against other targets."

At the same time, gaining access to control systems is the easy part, Antova notes. "In order to cause actual damage - for example, turning off breakers that control power flow — specific control system knowledge is necessary," she notes.

While groups like Sandworm have demonstrated their proficiency in Ukraine, "causing a large scale, cascading outage to the US grid is much more difficult and requires knowledge about safety systems and the resiliency controls that are in place," she notes. "But an attack causing widespread damage is not out of the realm of possibility."

Leigh-Anne Galloway, cyber security resilience lead at Positive Technologies, says that her company has a SCADA demonstration stand at the company's annual security conference where people have previously demonstrated how easy it is to attack control systems.

"In our experience, most infrastructure providers like energy companies are not well-prepared for an attack on their network," Galloway notes. "They don't have the necessary monitoring tools in place and do not carry out regular testing against their infrastructure."

Related Content:

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Higher Education: 15 Books to Help Cybersecurity Pros Be Better
Curtis Franklin Jr., Senior Editor at Dark Reading,  12/12/2018
Worst Password Blunders of 2018 Hit Organizations East and West
Curtis Franklin Jr., Senior Editor at Dark Reading,  12/12/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
10 Best Practices That Could Reshape Your IT Security Department
This Dark Reading Tech Digest, explores ten best practices that could reshape IT security departments.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-20161
PUBLISHED: 2018-12-15
A design flaw in the BlinkForHome (aka Blink For Home) Sync Module 2.10.4 and earlier allows attackers to disable cameras via Wi-Fi, because incident clips (triggered by the motion sensor) are not saved if the attacker's traffic (such as Dot11Deauth) successfully disconnects the Sync Module from the...
CVE-2018-20159
PUBLISHED: 2018-12-15
i-doit open 1.11.2 allows Remote Code Execution because ZIP archives are mishandled. It has an upload feature that allows an authenticated user with the administrator role to upload arbitrary files to the main website directory. Exploitation involves uploading a ".php" file within a "...
CVE-2018-20157
PUBLISHED: 2018-12-15
The data import functionality in OpenRefine through 3.1 allows an XML External Entity (XXE) attack through a crafted (zip) file, allowing attackers to read arbitrary files.
CVE-2018-20154
PUBLISHED: 2018-12-14
The WP Maintenance Mode plugin before 2.0.7 for WordPress allows remote authenticated users to discover all subscriber e-mail addresses.
CVE-2018-20155
PUBLISHED: 2018-12-14
The WP Maintenance Mode plugin before 2.0.7 for WordPress allows remote authenticated subscriber users to bypass intended access restrictions on changes to plugin settings.