A group of online hackers exhibiting the hallmarks of nation-state attackers have infiltrated the networks of hundreds of energy firms and industrial control system makers, according to analyses by security firms and the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT).
The attackers, dubbed “Dragonfly” by security-software firm Symantec and “Energetic Bear” by security-services provider CrowdStrike, were able to install Remote-Access Trojans (RATs) inside the networks of hundreds of energy-related companies located in Spain, the United States, Japan, France, Italy and Germany.
The attacks go beyond the more common cyber-espionage conducted by a variety of nations for national-security and economic reasons and raise the specter of using cyber-attacks to sabotage critical infrastructure—a worrisome prospect, Eric Chien, technical director of Symantec’s Security Response group, told eWEEK.
“There is a huge difference between conducting an espionage campaign and potentially conducting some sort of sabotage campaign,” he said. “That’s why we worry about this compared to some other attacks, because the level of access they had could have allowed them to do something, like literally turn the lights off.”
The attackers used a combination of customized attack tools and more common RATs available from markets in the Internet underground, according to an analysis published by Symantec on June 30.
The Dragonfly group also ratcheted up the sophistication of their attacks, starting out in 2011 by broadly spamming malicious links in “spearphishing” email messages. Then, in June 2013 they moved to infecting victims by compromising legitimate sites of interest to the targets—a technique known as a “waterhole attack.” In their last major shift, the attackers began infecting legitimate updates to industrial control software in September 2013.
“The current targets of the Dragonfly group, based on compromised Websites and hijacked software updates, are the energy sector and industrial control systems, particularly those based in Europe,” Symantec stated in its report. “While the majority of victims are located in the U.S., these appear to mostly be collateral damage.”
The advanced techniques and targets of the Dragonfly group suggest a more sophisticated, likely nation-state, attacker, Chien told eWEEK. While Symantec declined to specify which nation, its analysis pointed out that the attackers appeared to work a nine-hour workday, 9 a.m. to 6 p.m. in the UTC+4 hour timezone, encompassing Russia and other parts of Eastern Europe.
Security-services firm CrowdStrike did not hesitate to point the finger in its analysis. In a report published in January, CrowdStrike described the group as “Energetic Bear,” as a designation for Russia-affiliated groups.
According to the ICS-CERT, the malicious programs installed by the Dragonfly group uses an older variant of the Open Platform Communications protocol to enumerate operational networks, gathering information on servers and devices connected to the network. The program gathers, among other information, the name of the server, the OPC version, vendor information, server bandwidth and the running state.
The ICS-CERT advised companies that use Open Platform Communications to create and maintain strict access control lists (ACLs) and enforce authentication to any OPC software. Finnish security firm F-Secure also analyzed the attack.