Monday, June 30, 2014

AFP: Malware "Dragonfly" Aims at US, Europe Energy Sector


AFP news says:

The US security firm Symantec said it identified malware targeting industrial control systems which could sabotage electric grids, power generators and pipelines

This Stuxnet-like malware attack is likely to be government-sponsored, says Symantec. No word about nuclear power plants.

From Security Week quoting AFP (6/30/2014; emphasis is mine):

Malware Aims at US, Europe Energy Sector: Researchers

WASHINGTON - Cyberattackers, probably state sponsored, have been targeting energy operations in the United States and Europe since 2011 and were capable of causing significant damage, security researchers said Monday.

The US security firm Symantec said it identified malware targeting industrial control systems which could sabotage electric grids, power generators and pipelines.

"The attackers, known to Symantec as Dragonfly, managed to compromise a number of strategically important organizations for spying purposes," Symantec said in a blog post.

"If they had used the sabotage capabilities open to them, (they) could have caused damage or disruption to energy supplies in affected countries," it added.

The researchers said this malware is similar to Stuxnet, a virus believed to have been developed by the United States or Israel to contain threats from Iran.

"Dragonfly bears the hallmarks of a state-sponsored operation, displaying a high degree of technical capability," Symantec said.

"Its current main motive appears to be cyberespionage, with potential for sabotage a definite secondary capability."

Symantec said the Dragonfly, also known as Energetic Bear, appeared to be an operation based in Eastern Europe based on the hours of activity of those involved.

It said one of the tools was a Trojan that appeared to have originated in Russia.

Officials in the US and elsewhere in recent months have expressed growing concerns about cyberattacks which could cripple critical infrastructure systems such as power grids, dams or transportation systems.

The Dragonfly group has used several infection tactics including spam email with malicious attachments, and browser tools which can install malware.

Once installed on a victim's computer, the malware gathers system information and can extract data from the computer's address book and other directories.

"The Dragonfly group is technically adept and able to think strategically," Symantec said.

"Given the size of some of its targets, the group found a 'soft underbelly' by compromising their suppliers, which are invariably smaller, less protected companies."

Symantec said it had notified victims of the attacks as well as relevant national authorities, such as the US Computer Emergency Response Team.

The affected companies were not named, but Symantec said targets of Dragonfly included energy grid operators, major electricity generation firms, petroleum pipeline operators, and energy industry industrial equipment providers.

Most targets were located in the United States, Spain, France, Italy, Germany, Turkey, and Poland.


And Security Week's own article with more details including the link to Symantec's report (6/30/2014; part, emphasis is mine):

...The report builds on information released earlier this year by security firms CrowdStrike - which publicized the attack in January - and F-Secure.

The attacks on the energy sector began with malware sent via phishing emails to targeted personnel. Symantec observed the spear phishing attempts hitting organizations in the form of PDF attachments between February 2013 and June 2013, mostly targeting the US and UK. They emails were disguised as messages about administration issues such as delivery problems or issues with an account.

Later on, the group added watering hole attacks into its repertoire by compromising websites likely to be visited by people working in the industry and redirecting them to sites hosting an exploit kit known as Lightsout. The Lightsout kit has been upgraded over time, and eventually became known as the Hello exploit kit.

The third phase of the campaign involved the Trojanizing of legitimate software bundles belonging to three different industrial control system (ICS) equipment manufacturers using malware detected as Backdoor.Oldrea (Havex), according to Symantec's report (PDF).

The researchers reported that the first piece of Trojanized software was a product used to provide VPN access to programmable logic controller (PLC) type devices. The vendor discovered the attack shortly after it began, but by then there had already been 250 unique downloads of the compromised software. In the second incident, a European manufacturer of specialist PLC devices was compromised and had a software package containing a driver for one of its devices was compromised. According to Symantec, the software was available for download for at least six weeks between June and July in 2013.

The third firm was a European company that designs systems for managing wind turbines, biogas plants and other technology. In that case, the compromised software is believed to have been available for download for roughly 10 days in April 2014.

"Oldrea appears to be custom malware, either written by the group itself or created for it," according to the researchers. "This provides some indication of the capabilities and resources behind the Dragonfly group. Once installed on a victim’s computer, Oldrea gathers system information, along with lists of files, programs installed, and root of available drives. It will also extract data from the computer’s Outlook address book and VPN configuration files. This data is then written to a temporary file in an encrypted format before being sent to a remote command-and-control (C&C) server controlled by the attackers."

The majority of the command and control servers appear to be hosted on compromised servers running content management systems. Oldrea was linked to the vast majority of the infections caused by the group.

A second piece of malware used by the group was a Russian remote access Trojan known as Karagany, which was found in about five percent of the infections. The Karagany Trojan is available on the underground market. The source code for the first version of the malware was leaked in 2010. Symantec researchers suspect the Dragonfly group may have taken this source code and modified it for the group's own use. The malware can upload stolen data, download new files and run executable files on an infected machine. It is also capable of running additional plugins such as tools for collecting passwords and taking screenshots, according to Symantec.

"The attacks do have the hallmarks of a state-sponsored operation," said Vikram Thakur, principal security response manager at Symantec. "The attackers are well resourced, with a high degree of technical capability and have a lot of tools at their disposal. Their targets are of strategic interest. Their motivations appear to be espionage rather than cybercrime. As an example, we see the threat not only targeting specific industries, but also stealing credentials to connect into networks with industrial equipment. Such activity maps to espionage. Coupled with the sophistication of the campaigns, this activity lends itself to being perceived as being state sponsored."

(Full article at the link)


Well, remember the hacking incident at Monju earlier this year? A night-shift worker there downloaded a free video playback software from a supposed South Korean site and managed to infect the PC in the central control room. The PC was hacked, and email information was stolen. I haven't seen the result of the follow-up investigation of the incident.