Symantec has warned that a hacker group known as Dragonfly is using every practical trick in the trade to infiltrate networks owned by energy firms and to disrupt their operations.
Dragonfly uses malicious emails, malware, watering hole attacks, and trojanised applications to infect energy firms’ networks.
A large number of western energy firms have been victims of malicious infiltrations and cyber-attacks in the recent past. Earlier this year, a malware attack brought down the Ukrainian power grid as well as the country’s postal services. Hackers were also able to breach several non-critical networks of nuclear power firms, thereby sending out a terrifying message.
Symantec believes that the most powerful and sophisticated cyber-attacks and malware intrusions on networks owned by energy firms could be the handiwork of a specific hacker group. The group is so powerful and has covered its tracks so well that Symancec fears it has the ability to either sabotage or gain control of operations at major western energy firms.
‘The Dragonfly group appears to be interested in both learning how energy facilities operate and also gaining access to operational systems themselves, to the extent that the group now potentially has the ability to sabotage or gain control of these systems should it decide to do so,’ the firm said in a blog post.
What makes Dragonfly so powerful is the fact that it uses every trick in the trade to infiltrate, bring down or take over critical infrastructure networks. Even though its initial footprints were detected in 2011, the group’s activities have multiplied since 2015.
In 2015, Symantec observed a malicious email campaign conducted by Dragonfly through which the group sent emails disguised as an invitation to a New Year’s Eve party to targets in the energy sector. In the following year, the group sent more phishing emails to employees at energy firms, with some of such emails containing very specific content related to the energy sector.
More recently, phishing emails sent to energy firms by Dragonfly contain sophisticated hacking toolkits like Trojan.Phishery that can steal victims’ credentials via a template injection attack.
Dragonfly has also indulged in the watering hole attack technique that involves hackers infecting websites that employees of a target firm visit frequently. Once an employee visits an affected website, the malware infects his system, steals his credentials or installs other malware to take over the network.
Several infected websites also contain links that ask visitors to download updates for the Flash Player. Once a visitor clicks on such a link, a file named “install_flash_player.exe” gets downloaded to his system which in fact harbours the Trojan.Karagany.B backdoor.
As if phishing emails and watering hole tactics aren’t enough, Dragonfly also compromises legitimate software in order to deliver malware to victims. What may seem as secure and legitimate software to energy firms could, in fact, be a trojan containing all sorts of malware. According to Symantec, an evasion framework named Shellter has been used by the group to develop Trojanized applications.
Dragonfly exclusively owns and frequently uses a backdoor named Trojan.Heriplor which is not available to any other hacker group in the world. Initially used between 2011 and 2014, the backdoor is now back and is used specifically for attacking networks owned by energy firms.
Dragonfly also actively indulges in frequent sabotage attacks using which it collects information about target networks and systems and acquire credentials before launching malware attacks.
‘The Dragonfly 2.0 campaigns show how the attackers may be entering into a new phase, with recent campaigns potentially providing them with access to operational systems, access that could be used for more disruptive purposes in future.
‘The most concerning evidence of this is in their use of screen captures. In one particular instance, the attackers used a clear format for naming the screen capture files, [machine description and location].[organization name]. The string “cntrl” (control) is used in many of the machine descriptions, possibly indicating that these machines have access to operational systems,’ said Symantec.
How to protect yourself from such attacks?
Symantec suggests that in order to prevent hackers from stealing credentials, passwords and other sensitive employee information, energy firms must put in place strong password practices, two-factor authentication and should forbid usage of same passwords on multiple websites. Unused credentials should also be deactivated to prevent their misuse.
At the same time, all sensitive data should be encrypted and multiple, overlapping, and mutually supportive defensive systems should be used at the same time to ensure that flaws in any one platform aren’t successfully exploited by hackers. SMB egress traffic filtering should also be implemented on perimeter devices to prevent SMB traffic leakage from a network into the web.
“What’s interesting here, is the relatively unsophisticated methods the hacking group has used. Usually with SCADA, the tactic of choice is to exploit zero-day vulnerabilities. In this case though, they’ve chosen to go for the older, but most effective methods of phishing and watering holes to get in. Of course, once the attackers are in they would then still carry out exploits. But phishing is an effective first stage,” says Leigh Ann Galloway, Cyber Security Resilience Lead at Positive Technologies.
“As old as these techniques might be, this blunt instrument is proved as effective as ever, relying on the age-old ally of cyber criminals: human fallibility. These hackers have bet that – in spite of the critical importance of the systems – the people using them don’t have the security wherewithal to think before clicking on a link or opening an attachment. And in this case, they were right. In SCADA networks the implications are life threatening, to personnel and the general public and attackers could cause a short circuit disrupting safety mechanisms, or cause a complete outage,” he adds.