Attacks/Breaches

9/6/2017
03:45 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

'Dragonfly' APT Now Able to Disrupt US Power Grid Operations, Symantec Warns

Recent attacks on energy sector targets suggest Dragonfly group has access to computers that control operational systems.

Concerns about the vulnerability of the US energy sector to cyberattacks resurfaced in a major way this week with a ominous warning from security firm Symantec about threat actors gaining the ability to potentially access and sabotage critical control systems.

In a report, Symantec said it has evidence showing that a previously known group it has dubbed Dragonfly has been carrying out a series of cyberattacks on energy sector targets in the US, Turkey, and Switzerland. Dragonfly, aka Energetic Bear out of Russia, has been associated with attacks on hundreds of organizations in the industrial, manufacturing, pharmaceutical, education, and construction sectors around the world since at least 2011.

The attacks have been going on since at least December 2015 and appear designed to gain access to systems used for power grid operations. Available evidence suggests that the intruders already have control of computers that have full access to such operational systems and thereby have the ability to disrupt them in future, Symantec said.

The latest wave of attacks suggests that the Dragonfly group has moved to a second, and markedly more dangerous phase in its operations. 

In the past, Dragonfly's attacks on power grid companies appeared to be focused on information gathering and learning how energy facilities operated. With the new attacks — which Symantec has christened Dragonfly 2.0 — the group seems to be applying that knowledge to try and gain access to operational systems in order to sabotage them.

The original Dragonfly campaign appears to have been exploratory in nature, while the new wave seems focused both on intelligence gathering and gaining access to operational systems, says Jon DiMaggio, senior threat intelligence analyst with Symantec Security Response.

"There is only so much information that would be useful to an attacker from an energy-related victim," DiMaggio says. "If not for financial gain or to steal intellectual property, then it is likely the attacker's access would be to provide a strategic or military advantage. Turning off the power would do just that."

Cyberattacks on critical infrastructure targets have been a major concern in recent years. The 2012 Stuxnet attacks on Iran's uranium enrichment facility in Natanz was the first to demonstrate how malware could be used to cause massive physical damage to critical control equipment.

Those concerns came into sharp focus again in late 2015 and a year later in December 2016 when a series of cyberattacks caused widespread power outages in Ukraine. Some vendors have blamed the 2015 attacks on a Russian threat actor named Sandworm, which is believed to have infected systems at a power plant in the country with a disk-erasing tool delivered via the BlackEnergy Trojan.

Earlier this year, security researchers at ESET and Dragos identified the malware used in the 2016 attack in Ukraine as Industroyer or CrashOverride, developed by a threat group they dubbed ELECTRUM.

The two firms described the malware as custom designed to sabotage electric grid operations by taking advantage of a widely used communication protocol in industrial control systems. The malware was capable of working against equipment from any vendor so long as the systems used the vulnerable protocol.

In contrast to the sophisticated malware used in these previous campaigns, the malware used in the Dragonfly 2.0 attacks are more run-of-the-mill tools that appear to have been deliberately chosen to avoid attention and attribution.

"The attackers were observed living off the land to avoid detection and using multiple publicly available tools and resources making detection more difficult than the previous campaign," DiMaggio notes. Examples of such tools included PowerShell, Bitsadmin, and PsExec.

In some instances, the attackers have also been delivering backdoors and other malware using Flash updates and Trojanized versions of Windows applications such as MS Calc, Crash Reporter, and TCPview, he adds. The typical methods for distributing the malware have included spear phishing emails and watering hole attacks.

So far, Symantec has not observed any 0-day vulnerabilities or exploits being used in the Dragonfly 2.0 campaign. Some of the code strings in the malware used in the attacks have been in Russian while others have been in French, which suggests a deliberate attempt by the group to confuse security researchers about its origins, the security vendor said.

Galina Antova, co-founder of Claroty, says that reports about Russian actors being behind the Dragonfly 2.0 campaign are more than plausible. "This adversary has already taken down the Ukrainian power grid twice - in December 2015 and 2016," Antova says. "In addition to causing harm to Ukraine, these attacks may well have been a training ground for attackers that were practicing their tradecraft and building malware tools that can be used later against other targets."

At the same time, gaining access to control systems is the easy part, Antova notes. "In order to cause actual damage - for example, turning off breakers that control power flow — specific control system knowledge is necessary," she notes.

While groups like Sandworm have demonstrated their proficiency in Ukraine, "causing a large scale, cascading outage to the US grid is much more difficult and requires knowledge about safety systems and the resiliency controls that are in place," she notes. "But an attack causing widespread damage is not out of the realm of possibility."

Leigh-Anne Galloway, cyber security resilience lead at Positive Technologies, says that her company has a SCADA demonstration stand at the company's annual security conference where people have previously demonstrated how easy it is to attack control systems.

"In our experience, most infrastructure providers like energy companies are not well-prepared for an attack on their network," Galloway notes. "They don't have the necessary monitoring tools in place and do not carry out regular testing against their infrastructure."

Related Content:

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Google Engineering Lead on Lessons Learned From Chrome's HTTPS Push
Kelly Sheridan, Staff Editor, Dark Reading,  8/8/2018
White Hat to Black Hat: What Motivates the Switch to Cybercrime
Kelly Sheridan, Staff Editor, Dark Reading,  8/8/2018
PGA of America Struck By Ransomware
Dark Reading Staff 8/9/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Now about that mortgage refinance offer from Wells Fargo .....
Current Issue
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-6970
PUBLISHED: 2018-08-13
VMware Horizon 6 (6.x.x before 6.2.7), Horizon 7 (7.x.x before 7.5.1), and Horizon Client (4.x.x and prior before 4.8.1) contain an out-of-bounds read vulnerability in the Message Framework library. Successfully exploiting this issue may allow a less-privileged user to leak information from a privil...
CVE-2018-14781
PUBLISHED: 2018-08-13
Medtronic MMT 508 MiniMed insulin pump, 522 / MMT - 722 Paradigm REAL-TIME, 523 / MMT - 723 Paradigm Revel, 523K / MMT - 723K Paradigm Revel, and 551 / MMT - 751 MiniMed 530G The models identified above, when paired with a remote controller and having the "easy bolus" and "remote bolu...
CVE-2018-15123
PUBLISHED: 2018-08-13
Insecure configuration storage in Zipato Zipabox Smart Home Controller BOARD REV - 1 with System Version -118 allows remote attacker perform new attack vectors and take under control device and smart home.
CVE-2018-15124
PUBLISHED: 2018-08-13
Weak hashing algorithm in Zipato Zipabox Smart Home Controller BOARD REV - 1 with System Version -118 allows unauthenticated attacker extract clear text passwords and get root access on the device.
CVE-2018-15125
PUBLISHED: 2018-08-13
Sensitive Information Disclosure in Zipato Zipabox Smart Home Controller allows remote attacker get sensitive information that expands attack surface.