Attackers are installing back doors into power facilities in the U.S. in an attempt to steal credentials that then allow them complete access to facility control software, according to researchers at Symantec.
The malware is delivered using old phishing techniques, but with new payloads. Several power generation and control facilities, perhaps including one nuclear power plant, have already been penetrated.
Symantec is also reporting that the Dragonfly attackers have penetrated deeply enough into the power management systems that they’ve been able to take screen shots of control panel software. This allows them to return and wreak havoc on the US power grid by causing blackouts in the areas where they gain control, and perhaps causing other interconnected systems to go dark.
In its report, Symantec notes that Dragonfly first appeared in 2015, at which time it appeared to be operating only in a surveillance mode. Now as Dragonfly 2.0, it’s returned in an operational mode, providing the hackers with the access they need to infiltrate the computers that control the power systems.
The way it works is by sending seemingly routine attachments to officials at the power facility. Those attachments appear to be documents such as resumes and environmental reports, and they make it through most malware screening because the documents don’t contain any actual malware. Instead, the attachment contains a command to load a Word template from a remote source. The template then attempts to harvest user credentials and send those back to the hackers.
The template download request uses an SMB (server message block) protocol message to the remote source. The stolen credentials are returned the same way, which then allows the hackers to remotely control the victim computer.
Cisco’s Talos Intelligence performed an analysis of the actions of the Dragonfly 2.0 attacks, and noted that they depend on a successful SMB session over TCP port 445. They found that anything that interrupts or prevents such a connection will also keep the breach from happening and will prevent the template injection.
The most obvious immediate solution to such an attack is to configure the facility’s firewall so that it won’t allow such SMB requests to leave the network. Such a configuration has been a part of configuration best practices for some time. But clearly, enough organizations are failing to make that change to enable the Dragonfly malware to take advantage of this well known and long-fixed vulnerability.
“What’s interesting here is the relatively unsophisticated method the hacking group has used,” said Leigh-Anne Galloway, cyber security resilience officer at security software company Positive Technologies in an email.
“Usually with SCADA [supervisory control and data acquisition], the tactic of choice is to exploit zero-day vulnerabilities. In this case though, they’ve chosen to go for the older, but most effective methods of phishing and watering holes to get in. Of course, once the attackers are in, they would then still carry out exploits. But phishing is an effective first stage.”
“As old as these techniques might be, this blunt instrument is proved as effective as ever, relying on the age-old ally of cyber criminals: human fallibility,” Galloway said.
“These hackers have bet that, in spite of the critical importance of the systems, the people using them don’t have the security wherewithal to think before clicking on a link or opening an attachment. And in this case, they were right,” he said.
“In SCADA networks, the implications are life threatening, to personnel and the general public and attackers could cause a short circuit disrupting safety mechanisms, or cause a complete outage,” Galloway observed.
Positive Technologies has a demonstration model of a typical SCADA implementation and even that was recently attacked, she noted. “This is a model of the exact kind of setup you can encounter in the real world, using the same protocols and firmware,” Galloway explained in a subsequent email.
“We have had someone of school age carry out a successful attack against this environment which short-circuited the high voltage substation. He also managed to disable safety equipment,” she wrote.
“In our experience, most infrastructure providers like energy companies are not well prepared for an attack on their network,” Galloway explained. “They don’t have the necessary monitoring tools in place and do not carry out regular testing against their infrastructure. They are ill-prepared to deal with this kind of situation. Obviously the consequences of a successful attack could be catastrophic, or even cause a national crisis.”
The question then becomes, what to do? The immediate steps are fairly obvious, such as blocking SMB messages beyond the network by closing port 445 in the firewall. But that’s only a stopgap since the hackers could easily choose a different port. In addition, staff needs to be trained not to open attachments, regardless of how innocent or routine they look.
But the real solution needs to go beyond the obvious, even if the Department of Homeland Security has to issue requirements for the protection of critical infrastructure and to provide assistance to help those facilities make the changes quickly.
While those companies are private organizations in some cases, they are still regulated utilities and if necessary the regulations should reflect the critical nature of the infrastructure and impose requirements for protection.