Cyberattacks target energy infrastructure
- By Matt Leonard
- Sep 07, 2017
A group known as Dragonfly 2.0 appears to have gained access to energy companies' operational networks in both Europe and North America, according to a new report from Symantec.
The group has been trying to hack into these systems since 2015, but its activity has increased this year.
“The Dragonfly group appears to be interested in both learning how energy facilities operate and also gaining access to operational systems themselves, to the extent that the group now potentially has the ability to sabotage or gain control of these systems should it decide to do so,” Symantec said in its report.
The Department of Homeland Security told GCN it is aware of the report.
“At this time there is no indication of a threat to public safety,” DHS spokesperson Scott McConnell said in an email. “We continue to coordinate with government and private-sector partners to look into this activity and, through our National Cybersecurity and Communications Integration Center, we have released multiple information products to the critical infrastructure community to provide detection and response recommendations to help them secure their networks.”
McConnell added that DHS provides assistance to owners of critical infrastructure upon request.
Jon DiMaggio, a senior threat intelligence analyst at Symantec, said that there haven’t been any disruptions and no critical infrastructure has been destroyed as a result of these intrusions, but that attackers will likely continue to target the energy sector.
“The worst case would be if the attacker was to successfully disrupt or destroy systems that manage critical energy infrastructure,” DiMaggio said in an email to GCN. “While we know this is a capable attacker and can see the interest in specific systems within energy organizations, we can only make analytical conclusions based on the data we analyze.”
But the tools, techniques and procedures used by Dragonfly 2.0 fit what would be used by “a nation state attacker who is interested in energy infrastructure,” he said.
These most recent attacks by Dragonfly are being called Dragonfly 2.0 to distinguish them from an earlier string of attacks. Dragonfly 2.0 uses malicious emails, watering-hole attacks and Trojanized software to make its way into networks.
Symantec witnessed the use of malware that was disguised as an email inviting targets in the energy sector to a New Year’s Eve party, for example.
“Once opened, the attached malicious document would attempt to leak victims’ network credentials to a server outside of the targeted organization,” Symantec said.
These credentials are then used to install a Trojan horse onto the computer, which provides the attacker with remote access to the machine.
There is also evidence that Dragonfly 2.0 may have penetrated operational systems, which could result in sabotage.
“The most concerning evidence of this is in their use of screen captures. In one particular instance the attackers used a clear format for naming the screen capture files, [machine description and location].[organization name]. The string “cntrl” (control) is used in many of the machine descriptions, possibly indicating that these machines have access to operational systems,” the report said.
Symantec recommended following best practices for avoiding a Dragonfly 2.0 attack, including good password management, layered defenses, encryption of sensitive content, filtering outbound network traffic and educating employees.
Matt Leonard is a former reporter for GCN.