Attacks/Breaches

9/6/2017
03:45 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

'Dragonfly' APT Now Able to Disrupt US Power Grid Operations, Symantec Warns

Recent attacks on energy sector targets suggest Dragonfly group has access to computers that control operational systems.

Concerns about the vulnerability of the US energy sector to cyberattacks resurfaced in a major way this week with a ominous warning from security firm Symantec about threat actors gaining the ability to potentially access and sabotage critical control systems.

In a report, Symantec said it has evidence showing that a previously known group it has dubbed Dragonfly has been carrying out a series of cyberattacks on energy sector targets in the US, Turkey, and Switzerland. Dragonfly, aka Energetic Bear out of Russia, has been associated with attacks on hundreds of organizations in the industrial, manufacturing, pharmaceutical, education, and construction sectors around the world since at least 2011.

The attacks have been going on since at least December 2015 and appear designed to gain access to systems used for power grid operations. Available evidence suggests that the intruders already have control of computers that have full access to such operational systems and thereby have the ability to disrupt them in future, Symantec said.

The latest wave of attacks suggests that the Dragonfly group has moved to a second, and markedly more dangerous phase in its operations. 

In the past, Dragonfly's attacks on power grid companies appeared to be focused on information gathering and learning how energy facilities operated. With the new attacks — which Symantec has christened Dragonfly 2.0 — the group seems to be applying that knowledge to try and gain access to operational systems in order to sabotage them.

The original Dragonfly campaign appears to have been exploratory in nature, while the new wave seems focused both on intelligence gathering and gaining access to operational systems, says Jon DiMaggio, senior threat intelligence analyst with Symantec Security Response.

"There is only so much information that would be useful to an attacker from an energy-related victim," DiMaggio says. "If not for financial gain or to steal intellectual property, then it is likely the attacker's access would be to provide a strategic or military advantage. Turning off the power would do just that."

Cyberattacks on critical infrastructure targets have been a major concern in recent years. The 2012 Stuxnet attacks on Iran's uranium enrichment facility in Natanz was the first to demonstrate how malware could be used to cause massive physical damage to critical control equipment.

Those concerns came into sharp focus again in late 2015 and a year later in December 2016 when a series of cyberattacks caused widespread power outages in Ukraine. Some vendors have blamed the 2015 attacks on a Russian threat actor named Sandworm, which is believed to have infected systems at a power plant in the country with a disk-erasing tool delivered via the BlackEnergy Trojan.

Earlier this year, security researchers at ESET and Dragos identified the malware used in the 2016 attack in Ukraine as Industroyer or CrashOverride, developed by a threat group they dubbed ELECTRUM.

The two firms described the malware as custom designed to sabotage electric grid operations by taking advantage of a widely used communication protocol in industrial control systems. The malware was capable of working against equipment from any vendor so long as the systems used the vulnerable protocol.

In contrast to the sophisticated malware used in these previous campaigns, the malware used in the Dragonfly 2.0 attacks are more run-of-the-mill tools that appear to have been deliberately chosen to avoid attention and attribution.

"The attackers were observed living off the land to avoid detection and using multiple publicly available tools and resources making detection more difficult than the previous campaign," DiMaggio notes. Examples of such tools included PowerShell, Bitsadmin, and PsExec.

In some instances, the attackers have also been delivering backdoors and other malware using Flash updates and Trojanized versions of Windows applications such as MS Calc, Crash Reporter, and TCPview, he adds. The typical methods for distributing the malware have included spear phishing emails and watering hole attacks.

So far, Symantec has not observed any 0-day vulnerabilities or exploits being used in the Dragonfly 2.0 campaign. Some of the code strings in the malware used in the attacks have been in Russian while others have been in French, which suggests a deliberate attempt by the group to confuse security researchers about its origins, the security vendor said.

Galina Antova, co-founder of Claroty, says that reports about Russian actors being behind the Dragonfly 2.0 campaign are more than plausible. "This adversary has already taken down the Ukrainian power grid twice - in December 2015 and 2016," Antova says. "In addition to causing harm to Ukraine, these attacks may well have been a training ground for attackers that were practicing their tradecraft and building malware tools that can be used later against other targets."

At the same time, gaining access to control systems is the easy part, Antova notes. "In order to cause actual damage - for example, turning off breakers that control power flow — specific control system knowledge is necessary," she notes.

While groups like Sandworm have demonstrated their proficiency in Ukraine, "causing a large scale, cascading outage to the US grid is much more difficult and requires knowledge about safety systems and the resiliency controls that are in place," she notes. "But an attack causing widespread damage is not out of the realm of possibility."

Leigh-Anne Galloway, cyber security resilience lead at Positive Technologies, says that her company has a SCADA demonstration stand at the company's annual security conference where people have previously demonstrated how easy it is to attack control systems.

"In our experience, most infrastructure providers like energy companies are not well-prepared for an attack on their network," Galloway notes. "They don't have the necessary monitoring tools in place and do not carry out regular testing against their infrastructure."

Related Content:

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
How to Attract More Women Into Cybersecurity - Now
Dawn Kawamoto, Associate Editor, Dark Reading,  1/12/2018
Researchers Offer a 'VirusTotal for ICS'
Kelly Jackson Higgins, Executive Editor at Dark Reading,  1/16/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
The Year in Security: 2017
A look at the biggest news stories (so far) of 2017 that shaped the cybersecurity landscape -- from Russian hacking, ransomware's coming-out party, and voting machine vulnerabilities to the massive data breach of credit-monitoring firm Equifax.
Flash Poll
[Strategic Security Report] Navigating the Threat Intelligence Maze
[Strategic Security Report] Navigating the Threat Intelligence Maze
Most enterprises are using threat intel services, but many are still figuring out how to use the data they're collecting. In this Dark Reading survey we give you a look at what they're doing today - and where they hope to go.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.