Researchers at Symantec released a report today going inside an ongoing attack campaign targeting the energy sector.
According to Symantec, the attackers have compromised a number of different organizations during the past few years for the purposes of spying – and possibly, sabotage. Also known as ‘Energetic Bear’, the Dragonfly group is believed to have been in operation since at least 2011. Initially, its targets were in the defense and aviation industry in the United States and Canada. In early 2013, it shifted its focus to energy firms in the U.S. and Europe.
The attacks on the energy sector began with malware sent via phishing emails to targeted personnel. Symantec observed the spear phishing attempts hitting organizations in the form of PDF attachments between February 2013 and June 2013, mostly targeting the US and UK. They emails were disguised as messages about administration issues such as delivery problems or issues with an account.
Later on, the group added watering hole attacks into its repertoire by compromising websites likely to be visited by people working in the industry and redirecting them to sites hosting an exploit kit known as Lightsout. The Lightsout kit has been upgraded over time, and eventually became known as the Hello exploit kit.
The third phase of the campaign involved the Trojanizing of legitimate software bundles belonging to three different industrial control system (ICS) equipment manufacturers using malware detected as Backdoor.Oldrea (Havex), according to Symantec’s report (PDF).
The researchers reported that the first piece of Trojanized software was a product used to provide VPN access to programmable logic controller (PLC) type devices. The vendor discovered the attack shortly after it began, but by then there had already been 250 unique downloads of the compromised software. In the second incident, a European manufacturer of specialist PLC devices was compromised and had a software package containing a driver for one of its devices was compromised. According to Symantec, the software was available for download for at least six weeks between June and July in 2013.
The third firm was a European company that designs systems for managing wind turbines, biogas plants and other technology. In that case, the compromised software is believed to have been available for download for roughly 10 days in April 2014.
“Oldrea appears to be custom malware, either written by the group itself or created for it,” according to the researchers. “This provides some indication of the capabilities and resources behind the Dragonfly group. Once installed on a victim’s computer, Oldrea gathers system information, along with lists of files, programs installed, and root of available drives. It will also extract data from the computer’s Outlook address book and VPN configuration files. This data is then written to a temporary file in an encrypted format before being sent to a remote command-and-control (C&C) server controlled by the attackers.”
The majority of the command and control servers appear to be hosted on compromised servers running content management systems. Oldrea was linked to the vast majority of the infections caused by the group.
A second piece of malware used by the group was a Russian remote access Trojan known as Karagany, which was found in about five percent of the infections. The Karagany Trojan is available on the underground market. The source code for the first version of the malware was leaked in 2010. Symantec researchers suspect the Dragonfly group may have taken this source code and modified it for the group’s own use. The malware can upload stolen data, download new files and run executable files on an infected machine. It is also capable of running additional plugins such as tools for collecting passwords and taking screenshots, according to Symantec.
“The attacks do have the hallmarks of a state-sponsored operation,” said Vikram Thakur, principal security response manager at Symantec. “The attackers are well resourced, with a high degree of technical capability and have a lot of tools at their disposal. Their targets are of strategic interest. Their motivations appear to be espionage rather than cybercrime. As an example, we see the threat not only targeting specific industries, but also stealing credentials to connect into networks with industrial equipment. Such activity maps to espionage. Coupled with the sophistication of the campaigns, this activity lends itself to being perceived as being state sponsored.”
*This story was updated with additional information.