Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

9/6/2017
03:45 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

'Dragonfly' APT Now Able to Disrupt US Power Grid Operations, Symantec Warns

Recent attacks on energy sector targets suggest Dragonfly group has access to computers that control operational systems.

Concerns about the vulnerability of the US energy sector to cyberattacks resurfaced in a major way this week with a ominous warning from security firm Symantec about threat actors gaining the ability to potentially access and sabotage critical control systems.

In a report, Symantec said it has evidence showing that a previously known group it has dubbed Dragonfly has been carrying out a series of cyberattacks on energy sector targets in the US, Turkey, and Switzerland. Dragonfly, aka Energetic Bear out of Russia, has been associated with attacks on hundreds of organizations in the industrial, manufacturing, pharmaceutical, education, and construction sectors around the world since at least 2011.

The attacks have been going on since at least December 2015 and appear designed to gain access to systems used for power grid operations. Available evidence suggests that the intruders already have control of computers that have full access to such operational systems and thereby have the ability to disrupt them in future, Symantec said.

The latest wave of attacks suggests that the Dragonfly group has moved to a second, and markedly more dangerous phase in its operations. 

In the past, Dragonfly's attacks on power grid companies appeared to be focused on information gathering and learning how energy facilities operated. With the new attacks — which Symantec has christened Dragonfly 2.0 — the group seems to be applying that knowledge to try and gain access to operational systems in order to sabotage them.

The original Dragonfly campaign appears to have been exploratory in nature, while the new wave seems focused both on intelligence gathering and gaining access to operational systems, says Jon DiMaggio, senior threat intelligence analyst with Symantec Security Response.

"There is only so much information that would be useful to an attacker from an energy-related victim," DiMaggio says. "If not for financial gain or to steal intellectual property, then it is likely the attacker's access would be to provide a strategic or military advantage. Turning off the power would do just that."

Cyberattacks on critical infrastructure targets have been a major concern in recent years. The 2012 Stuxnet attacks on Iran's uranium enrichment facility in Natanz was the first to demonstrate how malware could be used to cause massive physical damage to critical control equipment.

Those concerns came into sharp focus again in late 2015 and a year later in December 2016 when a series of cyberattacks caused widespread power outages in Ukraine. Some vendors have blamed the 2015 attacks on a Russian threat actor named Sandworm, which is believed to have infected systems at a power plant in the country with a disk-erasing tool delivered via the BlackEnergy Trojan.

Earlier this year, security researchers at ESET and Dragos identified the malware used in the 2016 attack in Ukraine as Industroyer or CrashOverride, developed by a threat group they dubbed ELECTRUM.

The two firms described the malware as custom designed to sabotage electric grid operations by taking advantage of a widely used communication protocol in industrial control systems. The malware was capable of working against equipment from any vendor so long as the systems used the vulnerable protocol.

In contrast to the sophisticated malware used in these previous campaigns, the malware used in the Dragonfly 2.0 attacks are more run-of-the-mill tools that appear to have been deliberately chosen to avoid attention and attribution.

"The attackers were observed living off the land to avoid detection and using multiple publicly available tools and resources making detection more difficult than the previous campaign," DiMaggio notes. Examples of such tools included PowerShell, Bitsadmin, and PsExec.

In some instances, the attackers have also been delivering backdoors and other malware using Flash updates and Trojanized versions of Windows applications such as MS Calc, Crash Reporter, and TCPview, he adds. The typical methods for distributing the malware have included spear phishing emails and watering hole attacks.

So far, Symantec has not observed any 0-day vulnerabilities or exploits being used in the Dragonfly 2.0 campaign. Some of the code strings in the malware used in the attacks have been in Russian while others have been in French, which suggests a deliberate attempt by the group to confuse security researchers about its origins, the security vendor said.

Galina Antova, co-founder of Claroty, says that reports about Russian actors being behind the Dragonfly 2.0 campaign are more than plausible. "This adversary has already taken down the Ukrainian power grid twice - in December 2015 and 2016," Antova says. "In addition to causing harm to Ukraine, these attacks may well have been a training ground for attackers that were practicing their tradecraft and building malware tools that can be used later against other targets."

At the same time, gaining access to control systems is the easy part, Antova notes. "In order to cause actual damage - for example, turning off breakers that control power flow — specific control system knowledge is necessary," she notes.

While groups like Sandworm have demonstrated their proficiency in Ukraine, "causing a large scale, cascading outage to the US grid is much more difficult and requires knowledge about safety systems and the resiliency controls that are in place," she notes. "But an attack causing widespread damage is not out of the realm of possibility."

Leigh-Anne Galloway, cyber security resilience lead at Positive Technologies, says that her company has a SCADA demonstration stand at the company's annual security conference where people have previously demonstrated how easy it is to attack control systems.

"In our experience, most infrastructure providers like energy companies are not well-prepared for an attack on their network," Galloway notes. "They don't have the necessary monitoring tools in place and do not carry out regular testing against their infrastructure."

Related Content:

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 9/25/2020
9 Tips to Prepare for the Future of Cloud & Network Security
Kelly Sheridan, Staff Editor, Dark Reading,  9/28/2020
Attacker Dwell Time: Ransomware's Most Important Metric
Ricardo Villadiego, Founder and CEO of Lumu,  9/30/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-25288
PUBLISHED: 2020-09-30
An issue was discovered in MantisBT before 2.24.3. When editing an Issue in a Project where a Custom Field with a crafted Regular Expression property is used, improper escaping of the corresponding form input's pattern attribute allows HTML injection and, if CSP settings permit, execution of arbitra...
CVE-2020-25781
PUBLISHED: 2020-09-30
An issue was discovered in file_download.php in MantisBT before 2.24.3. Users without access to view private issue notes are able to download the (supposedly private) attachments linked to these notes by accessing the corresponding file download URL directly.
CVE-2020-25830
PUBLISHED: 2020-09-30
An issue was discovered in MantisBT before 2.24.3. Improper escaping of a custom field's name allows an attacker to inject HTML and, if CSP settings permit, achieve execution of arbitrary JavaScript when attempting to update said custom field via bug_actiongroup_page.php.
CVE-2020-26159
PUBLISHED: 2020-09-30
In Oniguruma 6.9.5_rev1, an attacker able to supply a regular expression for compilation may be able to overflow a buffer by one byte in concat_opt_exact_str in src/regcomp.c .
CVE-2020-6654
PUBLISHED: 2020-09-30
A DLL Hijacking vulnerability in Eaton's 9000x Programming and Configuration Software v 2.0.38 and prior allows an attacker to execute arbitrary code by replacing the required DLLs with malicious DLLs when the software try to load vci11un6.DLL and cinpl.DLL.