One of the biggest attack campaigns against critical infrastructure since Stuxnet might not actually have been aimed at critical infrastructure. New research on the Dragonfly, a.k.a. Energetic Bear, attacks that were first reported by F-Secure in June poses the theory that the group's true target was the pharmaceutical and biotechnology industry, not the energy sector.
In a report released today by the signal transmission solution company Belden, Joel Langill, an industrial control systems security expert at RedHat Cyber, explains why he thinks Dragonfly was attacking small companies that supply original equipment manufacturers, which in turn supply the pharma-biotech sector.
Though pharma has not been called out as a target before, researchers had warned against assumptions that the bull's eye was on energy companies. As Dark Reading's Kelly Jackson Higgins reported in June:
[Read what Symantec and F-Secure had to say about Dragonfly/Energetic Bear and why Kaspersky thinks it's a yeti, not a bear, on Dark Reading.]
Langill's research "is not focused on reverse engineering and dissecting the malware. Rather, it concentrated on executing the malicious code on systems that would reflect real-world ICS configurations. The impacts on various host and network devices in a typical ICS were then observed."
As Langill describes it, the group first used spear phishing to collect data about targets' suppliers. They used that information to "focus their efforts on localizing and exploiting companies that supply the target sector," by "Trojanizing" those companies' software, compromising their websites' content management systems, and allowing visitors to download those Trojanized applications -- which included industrial control systems' utilities and drivers.
The report reveals the identities of three such companies: Mesa, a manufacturer of industrial cameras and related software; MB Connect Line, a supplier of remote maintenance solutions for production facilities and packaging machines; and eWon, a producer of industrial security appliances and portal software.
eWon offers solutions for programmable logic solutions suppliers, including Siemens, Rockwell Automation, Omron, Schneider Electric, Mitsubishi Electric, and Hitachi. Some of these vendors were also targeted by Dragonfly's industrial protocol scanner module that searched for devices on ports 44818, 102, and 502. From the report:
The report also points out that eWon is part of the ACT'L Group, which includes BiiON, an industrial system integrator for the pharmaceutical and biotechnology industries, and KEOS, an environmental monitoring system common in pharmaceutical and life science facilities.
MB Connect Line supplies machine suppliers that supply to pharmaceuticals companies, and Mesa produces applications for automated guided vehicles that are common in pharmaceutical facilities.
All three companies are quite small -- Langill estimates fewer than 50 employees at each -- and use open-source content management systems on the websites that were compromised. He concludes:
Though Dragonfly is now inactive, there is another operation, Epic Turla, which is still going and exhibits many of the same characteristics as Dragonfly -- spear phishing, watering holes, exploits of open-source content management systems, and downloads of Trojanized "trusted" software. From the report:
Download the full report at http://info.belden.com/a-cyber-security-dragonfly-bc-lp (registration required).
Sara Peters is Senior Editor at Dark Reading and formerly the editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad ... View Full Bio