Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats //

Advanced Threats

10/22/2014
03:45 PM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

Pharmaceuticals, Not Energy, May Have Been True Target Of Dragonfly, Energetic Bear

New research says the compromised companies were suppliers for OEMs that served pharma and biotech.

One of the biggest attack campaigns against critical infrastructure since Stuxnet might not actually have been aimed at critical infrastructure. New research on the Dragonfly, a.k.a. Energetic Bear, attacks that were first reported by F-Secure in June poses the theory that the group's true target was the pharmaceutical and biotechnology industry, not the energy sector.

In a report released today by the signal transmission solution company Belden, Joel Langill, an industrial control systems security expert at RedHat Cyber, explains why he thinks Dragonfly was attacking small companies that supply original equipment manufacturers, which in turn supply the pharma-biotech sector.

Though pharma has not been called out as a target before, researchers had warned against assumptions that the bull's eye was on energy companies. As Dark Reading's Kelly Jackson Higgins reported in June:

    [Sean Sullivan, a security adviser at F-Secure] worries that the conclusions have been pointing too quickly to an energy sector attack only. "This is a very broad-based" campaign to cripple adversaries, including via manufacturers that supply their armies with food and other crucial items.

[Read what Symantec and F-Secure had to say about Dragonfly/Energetic Bear and why Kaspersky thinks it's a yeti, not a bear, on Dark Reading.]

Langill's research "is not focused on reverse engineering and dissecting the malware. Rather, it concentrated on executing the malicious code on systems that would reflect real-world ICS configurations. The impacts on various host and network devices in a typical ICS were then observed."

As Langill describes it, the group first used spear phishing to collect data about targets' suppliers. They used that information to "focus their efforts on localizing and exploiting companies that supply the target sector," by "Trojanizing" those companies' software, compromising their websites' content management systems, and allowing visitors to download those Trojanized applications -- which included industrial control systems' utilities and drivers.

The report reveals the identities of three such companies: Mesa, a manufacturer of industrial cameras and related software; MB Connect Line, a supplier of remote maintenance solutions for production facilities and packaging machines; and eWon, a producer of industrial security appliances and portal software.

eWon offers solutions for programmable logic solutions suppliers, including Siemens, Rockwell Automation, Omron, Schneider Electric, Mitsubishi Electric, and Hitachi. Some of these vendors were also targeted by Dragonfly's industrial protocol scanner module that searched for devices on ports 44818, 102, and 502. From the report:

    Notice that these specific products and protocols are not ones that dominate the energy industry. Instead the products from eWON appear to be targeted at machine builders that provide original equipment manufacturer (OEM) solutions to sectors such as pharmaceutical and food and beverage.

The report also points out that eWon is part of the ACT'L Group, which includes BiiON, an industrial system integrator for the pharmaceutical and biotechnology industries, and KEOS, an environmental monitoring system common in pharmaceutical and life science facilities.

MB Connect Line supplies machine suppliers that supply to pharmaceuticals companies, and Mesa produces applications for automated guided vehicles that are common in pharmaceutical facilities.

All three companies are quite small -- Langill estimates fewer than 50 employees at each -- and use open-source content management systems on the websites that were compromised. He concludes:

    Logic would suggest it is much easier to compromise a small business' web servers than it would be to perform a similar attack against much larger corporations. Bigger organizations typically invest heavily in security for their public-facing cyber assets and normally do not depend on open-source software for their website CMS.

Though Dragonfly is now inactive, there is another operation, Epic Turla, which is still going and exhibits many of the same characteristics as Dragonfly -- spear phishing, watering holes, exploits of open-source content management systems, and downloads of Trojanized "trusted" software. From the report:

    It seems likely that the Dragonfly and Epic Turla campaigns are being run by the same masters for the same primary motive, namely industrial espionage against pharmaceutical companies. It also appears that the attackers are not just looking for the intellectual property associated with the product, but also information related to building facilities... The potential damage could include the theft of proprietary recipes and production batch sequence steps, as well as network and device information that indicate manufacturing plant volumes and capabilities.

Download the full report at http://info.belden.com/a-cyber-security-dragonfly-bc-lp (registration required).

Sara Peters is Senior Editor at Dark Reading and formerly the editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Commentary
Ransomware Is Not the Problem
Adam Shostack, Consultant, Entrepreneur, Technologist, Game Designer,  6/9/2021
Edge-DRsplash-11-edge-ask-the-experts
How Can I Test the Security of My Home-Office Employees' Routers?
John Bock, Senior Research Scientist,  6/7/2021
News
New Ransomware Group Claiming Connection to REvil Gang Surfaces
Jai Vijayan, Contributing Writer,  6/10/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: Zero Trust doesn't have to break your budget!
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
The State of Ransomware
The State of Ransomware
Ransomware has become one of the most prevalent new cybersecurity threats faced by today's enterprises. This new report from Dark Reading includes feedback from IT and IT security professionals about their organization's ransomware experiences, defense plans, and malware challenges. Find out what they had to say!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-25414
PUBLISHED: 2021-06-17
A local file inclusion vulnerability was discovered in the captcha function in Monstra 3.0.4 which allows remote attackers to execute arbitrary PHP code.
CVE-2021-32078
PUBLISHED: 2021-06-17
An Out-of-Bounds Read was discovered in arch/arm/mach-footbridge/personal-pci.c in the Linux kernel through 5.12.11 because of the lack of a check for a value that shouldn't be negative, e.g., access to element -2 of an array, aka CID-298a58e165e4.
CVE-2021-31818
PUBLISHED: 2021-06-17
Affected versions of Octopus Server are prone to an authenticated SQL injection vulnerability in the Events REST API because user supplied data in the API request isn’t parameterised correctly. Exploiting this vulnerability could allow unauthorised access to database tables.
CVE-2021-34825
PUBLISHED: 2021-06-17
Quassel through 0.13.1, when --require-ssl is enabled, launches without SSL or TLS support if a usable X.509 certificate is not found on the local system.
CVE-2021-32944
PUBLISHED: 2021-06-17
A use-after-free issue exists in the DGN file-reading procedure in the Drawings SDK (All versions prior to 2022.4) resulting from the lack of proper validation of user-supplied data. This can result in a memory corruption or arbitrary code execution, allowing attackers to cause a denial-of-service c...