DragonFly Group attacks energy companies in the US in hacking campaign against power and utilities sector. Attackers access to SCADA networks in APT attack.
Earlier this week, Symantec released a report detailing a sophisticated attack campaign against power and utilities companies in the United States and Europe. An advanced attacker is targeting utilities in the United States and Europe – attacks attributed by Symantec to the DragonFly group, and tied by others to the Russian government and the Energetic Bear threat group. The group has used malicious emails, watering hole attacks, and Trojan software to compromise power and utility systems, gaining access and then learning how facilities operate and gaining the ability to sabotage systems controlling electricity production, transmission, or distribution.
Over the past 6 months, DragonFly 2.0 attackers have successfully gained access to 20 target company networks. This included control of the interfaces used to control equipment like circuit breakers, giving attackers the ability to stop the flow of electricity into US homes and businesses. Dragonfly is an attack group that was previously reported on by Symantec in 2014, and had since gone quiet. Their activity saw a marked increase in the past six months, with new attack campaigns and malware variants in use.
The attacks are likely intelligence-gathering operations to map energy company systems and networks, potentially enabling attackers to perform future sabotage. This pattern was seen earlier in the Stuxnet attacks. Sabotage operations are usually preceded by reconnaissance to map networks and gather information used to design future malware versions: Stuxnet, before performing its sabotage operations against the programmable logic controllers and damaging the centrifuges at Natanz, was preceded by the information-gathering Duqu malware that performed reconnaissance operations.
The DragonFly 2.0 attack on the U.S. power grid began with a malicious email inviting targets to a New Year’s Eve party, using a malicious attachment to gather target network credentials – reported on by Cisco’s Talos Intelligence team. Throughout the attack campaign, phishing continued, often with emails containing a MS Word attachment. The attachment usually an environmental report or resume, containing a template injection attack. The attack leverages the DOCX to reach out on port TCP 445 to an attacker controlled SMB server and retrieve a malicious payload. This attack was classified as the Phishery toolkit, and was used to retrieve credentials from the victim computer.
The Dragonfly group has also repeatedly used supply chain attacks to target victims associated with the electric sector. Specifically, they targeted industrial control system (ICS) equipment providers. They then infect software updates with remote access Trojans. When utilities downloaded software updates from the provider, their ICS were also infected. The group used two main malware tools, Backdoor.Oldrea and Trojan.Karagany. Oldrea is also known as Havex or the Energetic Bear RAT and acts as a back door for the attackers to access a target computer and install further malware. Karagany acts as an information gathering tool, uploading stolen data and downloading and running new malicious executables. The next evolution of Karagany, Trojan.Karagany.B, was recently used by DragonFly 2.0.
In addition, Dragonfly has consistently used watering hole attacks to compromise energy-related websites with a malicious iframe. The iframe redirected victims to a compromised website hosting the Lightsout or Hello exploit kit, which used Java or Internet Explorer vulnerabilities to drop malware on the target system. Dragonfly 2.0 again leveraged this attack pattern in attempts to steal user credentials and gain access.
Stolen credentials and access from supply chain attacks were used in follow-up attacks to install malware allowing remote access – including Backdoor.Goodor and Backdoor.Dorshel. Having gained remote access, attackers mapped the target environment and escalated privileges, attempting to gain access to industrial control systems that manage the power grid. Attackers exfiltrated data as well, sending information back to remote command and control servers. While no physical impacts were reported during this campaign, in several cases the attackers did gain access to supervisory control and data acquisition (SCADA) systems and could have remotely taken electricity production, transmission, or distribution offline.
Throughout the 2014 and 2017 attack campaigns, DragonFly used advanced, custom-developed malware as well as customized versions of publically available tools. Attacks were both widespread (on energy sector websites) but also targeted (in spear phishing of executives at target companies). The persistence of the attackers, combined with their advanced technical capabilities, makes the threat a severe risk to energy companies in the U.S. and Europe.
Traditional security best practices help remediate many of the risks posed by DragonFly. One common attack vector is consistently used by the DragonFly group – phishing emails. DragonFly 1.0 started with an email campaign targeting senior employees with a malicious PDF attachment. Training and awareness activities can help employees recognize phishing emails and reduce the rate of infection through malicious links or attachments. In addition, email security can block malicious emails sent by threat actors as part of their campaign, and web filtering or firewalls can block outbound calls to command and control IPs. In addition, the use of two-factor authentication can provide an additional layer of security, preventing any stolen credentials from being used by attackers.
Several of the high risk malware used by DragonFly – both the custom variants and known malicious tools – have signatures now that Symantec and others have analyzed and reported on the activity. The signatures from these known attack methods – like the Backdoor.Oldrea and Trojan.Karagany – will be prevented by up-to-date antivirus software. The watering hole attacks – with Lightsout and Hello exploits – also can both be prevented using Intrusion Prevention systems (IPS) with updated signatures.
Advanced attackers like DragonFly will be consistently developing new attack methodologies to evade these traditional techniques. This makes a threat intelligence program important – to monitor for information on the latest risks and react accordingly. In addition, some advanced security capabilities like next generation firewalls or IPS are able to analyze and block attacks without known signatures.
Attacks on the grid are not likely to subside anytime soon. High value assets – like the SCADA systems controlling the flow of electricity – are high value assets that require continued efforts by both the public and private communities to monitor and secure effectively.
The DragonFly Group has been in operation since 2011. Symantec had previously reported on the group in June 2014 – attributing a broad attack campaign against energy grid operators, major electricity generation firms, petroleum pipeline operators, and energy industry industrial equipment providers to the group. Similar to the latest report, the targets were in the U.S. and Europe. The security firm Crowdstrike and the US government have linked earlier Dragonfly attacks with Russia in official reports.
In 2014, DHS warned that hackers were targeting multiple US electric utilities with BlackEnergy malware. FireEye attributed these attacks to a hacker group it called Sandworm, a group likely backed by the Russian government. In 2015, the Sandworm team used BlackEnergy to gain access to Ukrainian utilities to gain remote access to SCADA systems and remotely switch substations off, leaving 230,000 without electricity for several hours. In 2016, Russian hackers struck again, blacking out a portion of the Ukrainian capital Kiev for an hour using the CrashOverride malware. CrashOverride was a significant advancement, using a modular malware on par with Stuxnet. Again earlier in 2017, Russian attackers used NotPetya, a wiper worm disguised as ransomware, to attack Ukrainian energy companies.
Earlier this year, attackers struck again in an incident impacting a Kansas nuclear power plant. In that attack, the Wolf Creek nuclear power plant in Burlington, Kansas had its business network compromised.
This combination of two attack types – reconnaissance and information-gathering attacks on Western energy companies, and sabotage attacks with physical impacts on the grid in the Ukraine – combine to show a very dangerous Russian capability in cyber warfare. Some writers have speculated that they are using the war in Ukraine as a test lab to sharpen their cyberwar capabilities, preparing for a potential conflict when they will need to take down the grid in the United States or Europe.
DragonFly 2.0 is the latest in a series of attacks on the power and utilities sector that has gone on since at least 2014. The attacks have grown in their global scale as well as their sophistication. The attacks have been attributed to groups backed by the Russian government and pose a critical threat to energy companies in the U.S. and Europe. Those at risk should maintain focus on cybersecurity awareness, vulnerability management, and consider next-generation security techniques designed to mitigate advanced threats.
