Security researchers Symantec report that the North American and European energy sectors are being targeted by what it describes as “a new wave of cyberattacks that could provide attackers with the means to severely disrupt affected operations.”
According to the researchers, the culprit behind these attacks is a “highly focused group” known as Dragonfly, and has been in operation since 2011. The resurgence of Dragonfly appears to have started in the last quarter of 2015, and comes in the wake of a recent increased cyberattacks in all areas.
In 2015 and 2016, hackers targeted Ukraine’s power grid, causing widespread outages recently, there have been reports of attempted cyberattacks on the power grids in certain European countries, and the U.S. has not been left out of the attacks.
The Dragonfly group appears to be interested in both learning how energy facilities operate and also gaining access to operational systems themselves, to the extent that the group now potentially has the ability to sabotage or gain control of these systems should it decide to do so, said Symantec in its report.
There are “strong indications” of attacker activity in organizations in the U.S., Turkey, and Switzerland, with traces of activity in organizations outside of these countries, according to Symantec.
The earliest activity identified by Symantec in this renewed campaign was a malicious email campaign that sent emails disguised as an invitation to a New Year’s Eve party to targets in the energy sector in December 2015.
The group conducted further targeted malicious email campaigns during 2016 and into 2017. The emails contained very specific content related to the energy sector, as well as some related to general business concerns.
Once opened, the attached malicious document would attempt to leak victims’ network credentials to a server outside of the targeted organization, said Symantec. The attackers also used watering hole attacks to harvest network credentials, by compromising websites that were likely to be visited by those involved in the energy sector.
The stolen credentials were then used in follow-up attacks against the target organizations. In one instance, after a victim visited one of the compromised servers, Backdoor.Goodor was installed on their machine via PowerShell 11 days later. Backdoor.Goodor provides the attackers with remote access to the victim’s machine, according to Symantec.
Symantec said it has evidence to suggest that files masquerading as Flash updates may be used to install malicious backdoors onto target networks—perhaps by using social engineering to convince a victim they needed to download an update for their Flash player. Shortly after visiting specific URLs, a file named “install_flash_player.exe” was seen on victim computers, followed shortly by the Trojan.Karagany.B backdoor.
Typically, the attackers will install one or two backdoors onto victim computers to give them remote access and allow them to install additional tools if necessary. Goodor, Karagany.B, and Dorshel are examples of backdoors used, along with Trojan.Heriplor.
Even though Symantec cannot definitively determine Dragonfly’s origins, it maintains that this is clearly an accomplished attack group, capable of compromising targeted organizations through a variety of methods.