Dragonfly Swoops Down on Energy Firms
A group of cyberthugs suspected of having ties with Russia may be transitioning from espionage to sabotage against American and European energy companies. Known as "Dragonfly" or "Energetic Bear" since it emerged in 2011, the group and its tools are still active. "There remains a risk," said Symantec's Eric Chien. "Components are still being downloaded from C&C servers following infection."
Jul 1, 2014 1:56 PM PT
The energy industry in the United States and Europe is being targeted by a cybercriminal gang that's suspected of being state-sponsored and has links to Russia.
Known variously as "Dragonfly" and "Energetic Bear," the group has been operating at least since 2011.
Its focus appears to be espionage and persistent access, with a side dish of sabotage as required, Symantec said.
It has changed tactics of late, and it appears the group is "less interested in general espionage" and is possibly moving more toward sabotage, remarked Eric Chien, technical director at Symantec Security Response.
Targets include energy grid operators, electricity generation companies, petroleum pipeline operators and energy industry industrial equipment providers, mainly in the U.S., Spain, France, Italy, Germany, Turkey and Poland, Symantec said.
Financial and high-tech companies also have been targeted over the past two years, Adam Meyers, vice president of intelligence at Crowdstrike, told TechNewsWorld.
Who Are These People?
Dragonfly has a range of malware tools at its disposal and can launch attacks through a number of different vectors, Symantec said. The gang initially targeted defense and aviation firms in the U.S. and Canada before focusing on energy companies in the U.S. and EU in early 2013.
It began phishing energy companies, then added watering hole attacks and went on to compromise three industrial control systems (ICS) manufacturers' software, infecting it with a remote-access Trojan that invaded victims' systems when they downloaded updates.
Crowdstrike's Global Threat Report 2013 identified the gang, which it calls "Energetic Bear," as a Russian group with links to the Russian Federation.
Symantec has been tracking "about 1,000 compromises, but these may be multiple systems in the same organization," Chien told TechNewsWorld. Most of the attacks occurred in 2013.
Dragonfly uses two remote access tools in its attacks.
It prefers the "Backdoor.Oldrea" RAT, also known as "Havex" or "Energetic Bear," Symantec said.
Oldrea, which acts as a back door for attacks on victims' PCs, appears to have been custom written.
The other RAT, which Symantec dubbed "Trojan.Karagany," is available on the underground market.
Dragonfly has modified its source code, according to Symantec, which named the modified version "Trojan.laragany!gen1."
Crowdstrike named the two RATs "Havex RAT" and "SYSMain RAT". The two are closely related, with several TTP (trusted third party) overlaps and code reuse, it noted.
Havex RAT might be a newer version of SysMain RAT, and there are more than 25 versions of the Havex RAT, Crowdstrike said. Each version installs itself as a DLL, with a name beginning with the word "TMPprovider."
Both RATs gather system information, lists of files, programs installed, and the roots of available drives, among other things, and send the data to a remote command-and-control server controlled by the attackers.
Most C&C servers appear to be hosted on compromised servers running content management systems, Symantec said.
In its watering hole attacks, Dragonfly injected an Iframe into various energy-related websites that redirected visitors to another compromised legitimate website hosting the Lightsout exploit kit, Symantec said.
A Clear and Present Danger
"There remains a risk as the group is still active as of today, and the tools are still active," Symantec's Chien said.
"Components are still being downloaded from C&C servers following infection," he continued, adding that the attackers "have the ability to choose which components to send to their victims."
There has been "a marked increase in activity" leading up to early 2014, Crowdstrike's Meyers said. "The ICS vendor attacks we were aware of occurred as early in January, and at least one vendor admitted to 250 downloads of the infected software package. However, Energetic Bear has begun going quiet in the past few months."
The gang's attacks "are quite serious" and defense against the malware is "non-trivial," he warned.
Technology that lets potential victims rapidly identify attacks "is critical to finding and mitigating these attacks," Meyers said, noting that superior threat intelligence also is important to stay ahead of the game.