Symantec security researchers are warning that a group known as Dragonfly or Energetic Bear has compromised several energy grid operators, electricity generation firms, petroleum pipeline operators and industrial equipment providers in the U.S., Spain, France, Italy, Germany, Turkey and Poland.
Dragonfly's most ambitious campaign to date involved infecting several industrial control system (ICS) equipment providers' software with a remote access Trojan.
"This caused companies to install the malware when downloading software updates for computers running ICS equipment," the researchers explained in a recent blog post. "These infections not only gave the attackers a beachhead in the targeted organizations' networks, but also gave them the means to mount sabotage operations against infected ICS computers."
The researchers say that while the Stuxnet malware campaign was aimed specifically at sabotaging the Iranian nuclear program, the Dragonfly group is more broadly focused on espionage and persistent access, with the possibility of sabotage in the future.https://o1.qnsr.com/log/p.gif?;n=203;c=204650394;s=9477;x=7936;f=201801171506010;u=j;z=TIMESTAMP;a=20392931;e=i
The group, which appears to operate during business hours Monday through Friday in an Eastern European time zone, has been in operation since at least 2011.
It began by targeting defense and aviation companies in the U.S. and Canada, but shifted its focus to U.S. and European energy firms in early 2013. That campaign started in February 2013 with spear phishing emails delivering malware, then expanded in the summer of 2013 to include watering hole attacks that redirected visitors to energy industry-related websites to a site hosting an exploit kit.
The third phase of the campaign was the infection of legitimate software from three different ICS equipment manufacturers. In one case, the compromised software was downloaded 250 times before it was discovered.
The custom-built malware most frequently leveraged by the group, Backdoor.Oldrea, gathers system information from an infected computer, along with lists of files, programs installed, address book data, VPN configuration files, and root of available drives. The stolen data is then sent to a remote command and control server.
"Dragonfly bears the hallmarks of a state-sponsored operation, displaying a high degree of technical capability," the researchers write. "The group is able to mount attacks through multiple vectors and compromise numerous third party websites in the process."
Adam Kujawa, head of malware intelligence at Malwarebytes, said by email that Dragonfly could well cause a significant amount of damage. "Intelligence gained from cyber espionage could be very useful in the right hands and if passwords, IP addresses, usernames, etc. had been pulled from infected systems that could allow attackers onto more secure networks and therefore enable direct control of energy resources," he said.
And according to RedSeal Networks CTO Dr. Mike Lloyd, these attacks demonstrate a worrying shift. "There is a nasty convergence happening as we speak: our lives are getting ever more dependent on reliable, secure availability of energy, but at the same time, the infrastructure of energy companies is getting more complicated," he said. "This complexity adds weakness, and multiplies the pathways attackers can exploit. "