September 7, 2017 By Mark Samuels 2 min read

A group of cybercriminals is targeting energy facilities in Europe and North America as part of a fresh wave of cybersecurity attacks that could lead to the disruption or sabotage of operational systems.

Though the group — called “Dragonfly” — has been at work since 2011, it became quiet after its operations were exposed by researchers in 2014. However, a new report by security specialist Symantec suggested the group has been active again since 2015 and has increased its operations through 2017.

The report presented more evidence of the threat facing executives who run critical infrastructure, such as energy facilities. IT managers in these organizations should take note of the risks highlighted by Symantec and look to reduce the threat through security best practices.

What Is Dragonfly?

According to SecurityWeek, the Dragonfly group is also known as Energetic Bear, Crouching Yeti and Iron Liberty. During its two-year lull, the group did not stop operations and instead worked to update its activities, according to Bleeping Computer.

In a blog post detailing its new analysis, Symantec suggested the group now aims to sabotage or gain control of operational systems in energy facilities. The researchers noted a distinct increase in activity through 2017 and suggested Dragonfly launched attacks in the U.S., Turkey and Switzerland. Symanetc also detected signs of action outside these nations.

Dissecting Dragonfly’s Techniques

The first activity of the renewed campaign, referred to as “Dragonfly 2.0,” came in the form of a malicious email campaign to the energy sector through December 2015. According to Symanetc, Dragonfly 2.0 relies on a range of other attack vectors, including watering hole attacks used to harvest network credentials and Trojanized software.

The attackers often use widely available malware via administration tools such as PowerShell, PsExec and BITSAdmin. Symantec suggested this use of standard malware might be part of a strategy to mask the group’s identity. The attackers typically install backdoors onto a victim’s computer to provide remote access to systems.

Researchers suggested the most concerning evidence centers on screen captures. Some of these captures included sensitive details such as the location of the infected machine and the name of the host organization. Many of these descriptions included the string cntrl, which is a potential indication that these machines have operational system access.

Symantec reported the amount of conflicting evidence about Dragonfly activities makes it difficult to state the origins of the group and the individuals involved. However, the firm referred to Dragonfly as a highly experienced threat actor with the capability to materially disrupt utility organizations. The long-term plans of the group remain uncertain.

Protecting the Energy Sector From Cybersecurity Attacks

An increasing number of experts recognize that energy and utilities organizations worldwide are focusing on cybersecurity attacks. The FBI and Department of Homeland Security issued a joint report earlier this year warning about the risk to nuclear power stations and other energy facilities, The New York Times reported.

Last month, the National Infrastructure Advisory Council (NIAC) published a draft report detailing the complex risks associated with critical infrastructure sectors. NIAC made 11 specific recommendations, including the establishment of specific network paths and reserved spectrum for backup communications during emergencies.

News of this ever-increasing threat represents a significant warning signal to executives running utility facilities and other elements of critical infrastructure. The Symantec researchers ended their report with several security recommendations, such as using strong passwords, implementing multiple protection systems and establishing an enforceable security policy with an emphasis on employee education programs.

More from

How will the Merck settlement affect the insurance industry?

3 min read - A major shift in how cyber insurance works started with an attack on the pharmaceutical giant Merck. Or did it start somewhere else?In June 2017, the NotPetya incident hit some 40,000 Merck computers, destroying data and forcing a months-long recovery process. The attack affected thousands of multinational companies, including Mondelēz and Maersk. In total, the malware caused roughly $10 billion in damage.NotPetya malware exploited two Windows vulnerabilities: EternalBlue, a digital skeleton key leaked from the NSA, and Mimikatz, an exploit…

3 Strategies to overcome data security challenges in 2024

3 min read - There are over 17 billion internet-connected devices in the world — and experts expect that number will surge to almost 30 billion by 2030.This rapidly growing digital ecosystem makes it increasingly challenging to protect people’s privacy. Attackers only need to be right once to seize databases of personally identifiable information (PII), including payment card information, addresses, phone numbers and Social Security numbers.In addition to the ever-present cybersecurity threats, data security teams must consider the growing list of data compliance laws…

ICS CERT predictions for 2024: What you need to know

4 min read - As we work through the first quarter of 2024, various sectors are continuously adapting to increasingly complex cybersecurity threats. Sectors like healthcare, finance, energy and transportation are all regularly widening their digital infrastructure, resulting in larger attack surfaces and greater risk exposure.Kaspersky just released their ICS CERT Predictions for this year, outlining the key cybersecurity challenges industrial enterprises will face in the year ahead. The forecasts emphasize the persistent nature of ransomware threats, the increasing prevalence of cosmopolitical hacktivism, insights…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today