Symantec researchers recently uncovered a new wave of cyber attacks targeting the energy sector in Europe and North America, with the potential to disrupt operations at target companies.
The group behind the attacks, known as Dragonfly, has been in operation since 2011 but was relatively quiet for a while after it was first exposed in 2014. The new campaign, which Symantec is calling Dragonfly 2.0, appears to have been launched in late 2015, with an increase in activity this year.
“The Dragonfly group appears to be interested in both learning how energy facilities operate and also gaining access to operational systems themselves, to the extent that the group now potentially has the ability to sabotage or gain control of these systems should it decide to do so,” the Symantec researchers wrote in a blog post detailing the attacks.
Symantec has seen clear indications of attacks in the U.S., Turkey and Switzerland, with some traces of activity in other countries as well. Symantec cyber security researcher Eric Chien told Reuters that dozens of companies have been targeted, and a handful, including in the U.S., have been compromised on the operational level.
“As it did in its prior campaign between 2011 and 2014, Dragonfly 2.0 uses a variety of infection vectors in an effort to gain access to a victim’s network, including malicious emails, watering hole attacks, and Trojanized software,” the researchers noted.
The focus appears to be on installing backdoors onto victims’ computers to provide the attackers with remote access and the ability to install additional tools if needed. Backdoors used by Dragonfly include Goodor, Karagany.B, Dorshel and Trojan.Heriplor.
“Trojan.Heriplor is a backdoor that appears to be exclusively used by Dragonfly, and is one of the strongest indications that the group that targeted the western energy sector between 2011 and 2014 is the same group that is behind the more recent attacks,” the researchers wrote. “This custom malware is not available on the black market, and has not been observed being used by any other known attack groups.”
While the initial Dragonfly campaigns appeared to be focused on simply gaining access to target networks, Symantec suggests that Dragonfly 2.0 may be entering a new phase with a focus on accessing operational systems and the potential for destructive attacks.
RiskVision CEO Joe Fantuzzi told eSecurity Planet by email that the attacks clearly show that cyber criminals are expanding their efforts in the energy sector. “Critical infrastructure is clearly becoming more of a target for hackers as it provides access not only to sensitive information but the ability to dramatically impact and/or harm large numbers of people,” he said.
In response, Fantuzzi said, it’s crucial for energy companies to undergo a through security risk assessment and prioritize ongoing risk management. “Unfortunately, security defenses protecting these systems have often been neglected or routinely deprioritized, and as a result, are substandard or completely outdated, thus giving cyber criminals an easy entry into these networks,” he said.
David Zahn, general manager of the cybersecurity business unit at PAS, said by email that this news should be a wakeup call for all critical infrastructure companies. “Even basics like knowing what cyber assets are in a power plant or industrial facility are missing today,” he said.
“If you cannot see it, you cannot secure it,” Zahn added. “If you cannot secure it, then understand that it may get worse before it gets better. Additional attention and investment are needed if we are to get ahead of these threats.”