A well-organised hacking group is believed to have carried out a sustained campaign of attacks on industrial control systems in the energy sector in the US and Europe, according to Symantec.
The group, called ‘Dragonfly' by Symantec, or ‘Energetic Bear' by other security companies, targeted energy grid operators, major electricity generation firms, petroleum pipeline operators, and energy industry industrial equipment providers through a number of attack vectors. The group was mainly involved in spying on the organisations it targetted, although Symantec says that it had the ability to sabotage targets as well but does not appear to have used them.
Symantec believes that the group was state sponsored, based on the complexity of its methods and tools, and that it was mainly operating from Eastern Europe, based on the timing of its activities.
Dragonfly initially targeted defence and aviation companies in the US and Canada before shifting its focus mainly to US and European energy firms in early 2013.
The group has used two main malware tools: Backdoor.Oldrea and Trojan.Karagany, both of which are Remote Access Trojans (RATs). The former appears to be a custom piece of malware, either written by or for the attackers.
The group initially began sending malware in phishing emails to senior personnel in target firms, between February and June 2013.
In June 2013, the attackers shifted their focus to watering hole attacks. They compromised a number of energy-related websites that were likely to be visited by those working in the sector, and injected an iframe into each of them. This iframe then redirected visitors to another compromised legitimate website hosting the Lightsout exploit kit. This in turn exploited either Java or Internet Explorer in order to drop Oldrea or Karagany on the victim's computer. Symantec said that the fact that the attackers compromised multiple legitimate websites for each stage of the operation is further evidence of strong technical capabilities of the group.
In the third phase of the campaign, Dragonfly was able to compromise three different industrial control system (ICS) equipment providers. The group infected legitimate software bundles from each vendor with the Trojan software, so that customers of the companies would install the Trojans when updating their systems. This attack vector gave Dragonfly a beachhead in the targeted organisations' networks, Symantec said, but also gave them the means to mount sabotage operations against infected ICS computers.