The attacks, revealed by researchers at Symantec today, are the work of a group known as Dragonfly that has been active for several years. Researchers have been tracking the group’s activity since 2011, but in the last few months the attackers have ramped up their work, targeting the operational networks of numerous energy companies in the U.S., Switzerland, and Turkey.
“The Dragonfly group appears to be interested in both learning how energy facilities operate and also gaining access to operational systems themselves, to the extent that the group now potentially has the ability to sabotage or gain control of these systems should it decide to do so,” Symantec researchers wrote in a report published Wednesday.
“Symantec has evidence indicating that the Dragonfly 2.0 campaign has been underway since at least December 2015 and has identified a distinct increase in activity in 2017. Symantec has strong indications of attacker activity in organizations in the U.S., Turkey, and Switzerland, with traces of activity in organizations outside of these countries. The U.S. and Turkey were also among the countries targeted by Dragonfly in its earlier campaign, though the focus on organizations in Turkey does appear to have increased dramatically in this more recent campaign.”
The new research paints a troubling picture of Dragonfly’s activities and the security of the energy companies’ networks. Dragonfly uses a variety of tactics in order to gain access to target organizations, including highly targeted phishing emails, watering hole attacks, and even compromising legitimate software packages. The latest campaign began in late 2015 with a round of phishing emails and continued throughout 2016 and 2017 with other malicious emails that had content specifically related to the energy sector. The messages included rigged documents that, if opened, would try to steal the victim’s network credentials and send them to a remote server.
“The stolen credentials were then used in follow-up attacks against the target organizations. In one instance, after a victim visited one of the compromised servers, Backdoor.Goodor was installed on their machine via PowerShell 11 days later. Backdoor.Goodor provides the attackers with remote access to the victim’s machine,” the researchers said.
These attacks are particularly worrisome because they didn’t just give the Dragonfly group access to the companies’ IT networks, but also to the separate networks that actually run the power systems in the targeted countries. With that level of access, the attackers may be able to cause disruptions or widespread outages at will. This latter stage of the Dragonfly attacks seems to have been a direct follow-up to the earlier intrusions, in which the group used lower-level access to gain knowledge of the target organizations’ networks and operations.
“The original Dragonfly campaigns now appear to have been a more exploratory phase where the attackers were simply trying to gain access to the networks of targeted organizations. The Dragonfly 2.0 campaigns show how the attackers may be entering into a new phase, with recent campaigns potentially providing them with access to operational systems, access that could be used for more disruptive purposes in future,” Symantec said in its report.
There already have been some examples of cyberattacks that resulted in power outages, including two in Ukraine in the last two years. The Dragonfly group hasn’t been tied to any of those incidents, but researchers believe the group has the capability to cause serious business disruptions.
“What is clear is that Dragonfly is a highly experienced threat actor, capable of compromising numerous organizations, stealing information, and gaining access to key systems. What it plans to do with all this intelligence has yet to become clear, but its capabilities do extend to materially disrupting targeted organizations should it choose to do so,” Symantec’s researchers said.
