Researchers at Symantec have warned that a “sophisticated attack group” is targeting the energy sector in Europe and North America, and has been doing so for some time. A group known as Dragonfly has been detected carrying out attacks since 2011, and the campaign of attacks was recently stepped up a gear.
Dubbed the Dragonfly 2.0 campaign, the attacks included disruption to the Ukrainian power system in 2015 and 2016. After a quiet period, the group’s activities have started up again, with targets hit in US, Turkey and Switzerland. On the hit list are energy facilities — something that could have devastating consequences.
Symantec warns that: “The Dragonfly group appears to be interested in both learning how energy facilities operate and also gaining access to operational systems themselves, to the extent that the group now potentially has the ability to sabotage or gain control of these systems should it decide to do so.”
Backdoors have been used to gain entry and take control of systems, and those working in the energy sector have been closely targeted with malicious email campaigns.
In a report, Symantec explains:
In 2014, Symantec observed the Dragonfly group compromise legitimate software in order to deliver malware to victims, a practice also employed in the earlier 2011 campaigns. In the 2016 and 2017 campaigns the group is using the evasion framework Shellter in order to develop Trojanized applications. In particular, Backdoor.Dorshel was delivered as a trojanized version of standard Windows applications.
Symantec also has evidence to suggest that files masquerading as Flash updates may be used to install malicious backdoors onto target networks — perhaps by using social engineering to convince a victim they needed to download an update for their Flash player. Shortly after visiting specific URLs, a file named “install_flash_player.exe” was seen on victim computers, followed shortly by the Trojan.Karagany.B backdoor.
Typically, the attackers will install one or two backdoors onto victim computers to give them remote access and allow them to install additional tools if necessary. Goodor, Karagany.B, and Dorshel are examples of backdoors used, along with Trojan.Heriplor.
At the moment it appears that the group is operating in data-gathering mode, but Symantec fears that this could be the calm before the storm. “The Dragonfly 2.0 campaigns show how the attackers may be entering into a new phase, with recent campaigns potentially providing them with access to operational systems, access that could be used for more disruptive purposes in future.”
While it is not entirely clear who is behind Dragonfly, there are hints of Russian involvement.