Attacks/Breaches

9/6/2017
03:45 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

'Dragonfly' APT Now Able to Disrupt US Power Grid Operations, Symantec Warns

Recent attacks on energy sector targets suggest Dragonfly group has access to computers that control operational systems.

Concerns about the vulnerability of the US energy sector to cyberattacks resurfaced in a major way this week with a ominous warning from security firm Symantec about threat actors gaining the ability to potentially access and sabotage critical control systems.

In a report, Symantec said it has evidence showing that a previously known group it has dubbed Dragonfly has been carrying out a series of cyberattacks on energy sector targets in the US, Turkey, and Switzerland. Dragonfly, aka Energetic Bear out of Russia, has been associated with attacks on hundreds of organizations in the industrial, manufacturing, pharmaceutical, education, and construction sectors around the world since at least 2011.

The attacks have been going on since at least December 2015 and appear designed to gain access to systems used for power grid operations. Available evidence suggests that the intruders already have control of computers that have full access to such operational systems and thereby have the ability to disrupt them in future, Symantec said.

The latest wave of attacks suggests that the Dragonfly group has moved to a second, and markedly more dangerous phase in its operations. 

In the past, Dragonfly's attacks on power grid companies appeared to be focused on information gathering and learning how energy facilities operated. With the new attacks — which Symantec has christened Dragonfly 2.0 — the group seems to be applying that knowledge to try and gain access to operational systems in order to sabotage them.

The original Dragonfly campaign appears to have been exploratory in nature, while the new wave seems focused both on intelligence gathering and gaining access to operational systems, says Jon DiMaggio, senior threat intelligence analyst with Symantec Security Response.

"There is only so much information that would be useful to an attacker from an energy-related victim," DiMaggio says. "If not for financial gain or to steal intellectual property, then it is likely the attacker's access would be to provide a strategic or military advantage. Turning off the power would do just that."

Cyberattacks on critical infrastructure targets have been a major concern in recent years. The 2012 Stuxnet attacks on Iran's uranium enrichment facility in Natanz was the first to demonstrate how malware could be used to cause massive physical damage to critical control equipment.

Those concerns came into sharp focus again in late 2015 and a year later in December 2016 when a series of cyberattacks caused widespread power outages in Ukraine. Some vendors have blamed the 2015 attacks on a Russian threat actor named Sandworm, which is believed to have infected systems at a power plant in the country with a disk-erasing tool delivered via the BlackEnergy Trojan.

Earlier this year, security researchers at ESET and Dragos identified the malware used in the 2016 attack in Ukraine as Industroyer or CrashOverride, developed by a threat group they dubbed ELECTRUM.

The two firms described the malware as custom designed to sabotage electric grid operations by taking advantage of a widely used communication protocol in industrial control systems. The malware was capable of working against equipment from any vendor so long as the systems used the vulnerable protocol.

In contrast to the sophisticated malware used in these previous campaigns, the malware used in the Dragonfly 2.0 attacks are more run-of-the-mill tools that appear to have been deliberately chosen to avoid attention and attribution.

"The attackers were observed living off the land to avoid detection and using multiple publicly available tools and resources making detection more difficult than the previous campaign," DiMaggio notes. Examples of such tools included PowerShell, Bitsadmin, and PsExec.

In some instances, the attackers have also been delivering backdoors and other malware using Flash updates and Trojanized versions of Windows applications such as MS Calc, Crash Reporter, and TCPview, he adds. The typical methods for distributing the malware have included spear phishing emails and watering hole attacks.

So far, Symantec has not observed any 0-day vulnerabilities or exploits being used in the Dragonfly 2.0 campaign. Some of the code strings in the malware used in the attacks have been in Russian while others have been in French, which suggests a deliberate attempt by the group to confuse security researchers about its origins, the security vendor said.

Galina Antova, co-founder of Claroty, says that reports about Russian actors being behind the Dragonfly 2.0 campaign are more than plausible. "This adversary has already taken down the Ukrainian power grid twice - in December 2015 and 2016," Antova says. "In addition to causing harm to Ukraine, these attacks may well have been a training ground for attackers that were practicing their tradecraft and building malware tools that can be used later against other targets."

At the same time, gaining access to control systems is the easy part, Antova notes. "In order to cause actual damage - for example, turning off breakers that control power flow — specific control system knowledge is necessary," she notes.

While groups like Sandworm have demonstrated their proficiency in Ukraine, "causing a large scale, cascading outage to the US grid is much more difficult and requires knowledge about safety systems and the resiliency controls that are in place," she notes. "But an attack causing widespread damage is not out of the realm of possibility."

Leigh-Anne Galloway, cyber security resilience lead at Positive Technologies, says that her company has a SCADA demonstration stand at the company's annual security conference where people have previously demonstrated how easy it is to attack control systems.

"In our experience, most infrastructure providers like energy companies are not well-prepared for an attack on their network," Galloway notes. "They don't have the necessary monitoring tools in place and do not carry out regular testing against their infrastructure."

Related Content:

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
White House Cybersecurity Strategy at a Crossroads
Kelly Jackson Higgins, Executive Editor at Dark Reading,  7/17/2018
The Fundamental Flaw in Security Awareness Programs
Ira Winkler, CISSP, President, Secure Mentem,  7/19/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-14492
PUBLISHED: 2018-07-21
Tenda AC7 through V15.03.06.44_CN, AC9 through V15.03.05.19(6318)_CN, and AC10 through V15.03.06.23_CN devices have a Stack-based Buffer Overflow via a long limitSpeed or limitSpeedup parameter to an unspecified /goform URI.
CVE-2018-3770
PUBLISHED: 2018-07-20
A path traversal exists in markdown-pdf version <9.0.0 that allows a user to insert a malicious html code that can result in reading the local files.
CVE-2018-3771
PUBLISHED: 2018-07-20
An XSS in statics-server <= 0.0.9 can be used via injected iframe in the filename when statics-server displays directory index in the browser.
CVE-2018-5065
PUBLISHED: 2018-07-20
Adobe Acrobat and Reader 2018.011.20040 and earlier, 2017.011.30080 and earlier, and 2015.006.30418 and earlier versions have a Use-after-free vulnerability. Successful exploitation could lead to arbitrary code execution in the context of the current user.
CVE-2018-5066
PUBLISHED: 2018-07-20
Adobe Acrobat and Reader 2018.011.20040 and earlier, 2017.011.30080 and earlier, and 2015.006.30418 and earlier versions have an Out-of-bounds read vulnerability. Successful exploitation could lead to information disclosure.