The threat of cyber attacks to energy companies is increasing

Symantec has published a series of considerations about a dangerous trend that has been reasserting itself over the last few years: energy companies in Europe and North America are increasingly being targeted by a new wave of attacks that may allow their authors, to have the means to significantly compromise the operation of power generation, storage and distribution plants.

The energy sector has become an area of ​​increasing interest for cybercriminals over the past two years. In 2015 and 2016, the cyber attack on power plants in Ukraine led to disservices that had repercussions on hundreds of thousands of people and in recent months there have been some attempts to attack the electricity grids of other European countries, as well as the impairment of IT systems of companies that operate nuclear facilities in the USA.

It seems that behind these attacks, there is a collective known as Dragonfly, which has been operational since at least 2011 and has re-emerged in the last two years after a period of pause. The group seems to be interested both in the modus operandi of the new plants, and in obtaining access to the operational systems so as to be able to build a set of knowledge that can allow to obtain control of these systems when they decide to do so.

According to the information that Symantec has collected in its investigation the new campaign of attacks ” Dragonfly 2.0 ” seems to have been launched at least at the end of 2015, with tactics and tools already used in the activities carried out previously by the group, and has seen an intensification during this 2017. The security company has detected a series of ” solid ” indications of activity in the USA, in Turkey and in Switzerland and some traces also outside these countries.

The first activity identified by Symantec in this new wave of operations was a campaign of sweetened emails consisting of the dissemination of fictitious invitations to a party at the end of the year, which took place in December 2015. Dragonfly would then carry out other email campaigns in 2016 and 2017, with interactive messages to specific topics dedicated to the energy sector.

Once the email is open, the compromised attachment tries to steal the network credentials by sending them to a server outside the organization. In July, Cisco also found a series of email-based attacks targeting the energy sector with a toolkit called Phishery, circulating on GitHub since 2016. Some of the emails used by Dragonfly have used the stolen toolkit credentials to the victim.

In addition to the email campaign, Symantec says the group of attackers have used watering hole techniques to collect network credentials, compromising websites that are likely to be consulted by personnel working in the energy sector. The credentials were subsequently used against organizations targeted using tools such as backdoors and Trojans to ultimately obtain remote access to the victim’s machine.

In the attack activities conducted in 2014 and even earlier in 2011, the Dragonfly group compromised legitimate software in order to deliver malware to victims. During 2016 and 2017, Symantec’s analysis suggests that the group is using the Shellter framework to develop ” trojanized ” applications, and in particular, a backdoor (Backdoor.Dorshel) has been distributed as a trojanized version of standard Windows applications.

Another practice widely used to deliver malware is that of fake Flash updates, with users driven to carry out them through social engineering techniques. As a rule, attackers install one or two backdoors on the victim’s system to gain remote access and install additional tools when and where necessary.

Symantec found that various tools used in recent campaigns were also used in those of 2011 and 2014, suggesting that the actor behind these actions may be the same. In particular, the Heriplor trojan seems to have been used exclusively by Dragonfly, as it is not available on the black market of the web and never observed in attacks conducted by other known hacker groups. This is a trojan that has only been used against targets in the energy sector. Another Trojan, Karagany, is an evolution of one previously used by Dragonfly and shows similarities in commands, encryption mechanisms and code routines.

The security company specifies that the actions of actual operational sabotage are normally preceded by a more or less extensive phase of gathering information on networks and target systems, with the acquisition of credentials: all resources that are then exploited in subsequent campaigns as happened, for example, in the case of the notorious Stuxnet and Shamoon.

That said, the previous campaign of Dragonfly attacks seemed to be more an exploratory phase where they simply look for access to the networks of targeted companies. What is happening instead now seems to be a different phase, access to operational systems to gather information and details to be used for even more damaging purposes in the future? Symantec has found numerous screen capture related to control machines.

In the current state of affairs, it is not possible to determine exactly the origin of Dragonfly, but its availability of arsenal and the skills it has shown in the field describe a group that is certainly skilled and experienced. Some of the group’s activities also seem to be carried out with the express purpose of making it difficult to determine who really is. A part of the instruments used, beyond those mentioned above, are widely available so as to make the allocation of the shares more difficult.

The attackers also do not use zero-day flaws, a peculiarity that may indicate both the desire to avoid unique and ” exclusive ” elements, always for the purpose of ” mingling with the crowd of criminals “, and the lack of resources to enter into possession of one of these flaws normally sold at exorbitant prices always on the black market of the web. Symantec also noted in the code of used tools the presence of comments in Russian and in French, probably a clear attempt at screening.

The only clear thing that emerges from all this is that the Dragonfly group is an actor with great experience, with the ability to compromise various organizations, to steal information and gain access to key systems. What its ultimate goals are still not clear, but its capabilities can without any shadow of doubt heavily compromise the operability of its targets – which we remember to be companies that actively operate in the energy sector – and cause material damage of considerable magnitude.