An ongoing cyberespionage campaign targeting western energy companies and the control systems that power the electric grid and other major industrial operations is also believed to be capable of carrying out sabotage attacks, according to a new report by security firm Symantec Corp.
Known to Symantec as Dragonfly and other security vendors as Energetic Bear, the highly-sophisticated, organized hacker group has been targeting electric grid operators, petroleum pipelines, electric generation companies and the industrial control systems used by these critical infrastructures since 2011. But what has to date been primarily a cyberespionage campaign by the group — believed to be based in Russia — has now shifted to a possible sabotage threat.
“The Dragonfly group is well resourced, with a range of malware tools at its disposal and is capable of launching attacks through a number of different vectors,” Symantec said today in a blog post. “Its most ambitious attack campaign saw it compromise a number of industrial control system (ICS) equipment providers, infecting their software with a remote access-type Trojan. This caused companies to install the malware when downloading software updates for computers running ICS equipment. These infections not only gave the attackers a beachhead in the targeted organizations’ networks, but also gave them the means to mount sabotage operations against infected ICS computers.”
The Industrial Control Systems Cyber Emergency Response Team issued an alert June 27 detailing how the attackers compromised ICS software by using so-called watering-hole attacks, during which users download and install trojanized ICS software updates from ICS vendor websites. The ICS-CERT alert did not name the software vendors publicly, but it has made them available through its secure portal.
According to Symantec’s analysis, Dragonfly “bears the hallmarks of a state-sponsored operation,” following in the footsteps of Stuxnet, the 2010 sabotage operation that targeted the Iranian nuclear program. But unlike Stuxnet, Dragonfly appears to be a more broadly focused campaign focused on persistent access to energy infrastructure companies for the purpose of espionage, with the optional ability to sabotage the systems if it chooses to do so.
“The group is able to mount attacks through multiple vectors and compromise numerous third party websites in the process. Its main motive appears to be cyberespionage, with potential for sabotage a definite secondary capability,” Symantec said.
Dragonfly uses two main pieces of malware in its attacks. Both are remote access tools, which provide the attackers with access and control of compromised computers, Symantec said in its analysis. The main tool used by the group is Backdoor.Oldrea, which is also known as Havex or the Energetic Bear RAT. Oldrea acts as a backdoor for the attackers on to the victim’s computer, allowing them to extract data and install further malware.
The second tool used by Dragonfly is Trojan.Karagany. “Unlike Oldrea, Karagany was available on the underground market. The source code for version 1 of Karagany was leaked in 2010. Symantec believes that Dragonfly may have taken this source code and modified it for its own use. This version is detected by Symantec as Trojan.Karagany!gen1,” Symantec said.
Karagany is capable of uploading stolen data, downloading new files and running executable files on an infected computer. It is also capable of running additional plugins, such as tools for collecting passwords, taking screenshots and cataloging documents on infected computers.