Symantec researchers have confirmed the findings of their colleagues at F-Secure, who have been monitoring the spreading of the Havex malware family, and have put them in a larger context, tying them to the activities of a hacking group they dubbed Dragonfly.
Also dubbed “Energetic Bear,” the group is thought to be based in Russia or Eastern Europe, is likely state-sponsored, and is currently focusing on targeting US and European companies and organizations in the energy industry: energy grid operators, major electricity generation firms, petroleum pipeline operators, and energy industry industrial equipment providers
“The Dragonfly group is well resourced, with a range of malware tools at its disposal and is capable of launching attacks through a number of different vectors,” Symantec researchers explained.
“Its most ambitious attack campaign saw it compromise a number of industrial control system (ICS) equipment providers, infecting their software with a remote access-type Trojan. This caused companies to install the malware when downloading software updates for computers running ICS equipment. These infections not only gave the attackers a beachhead in the targeted organizations’ networks, but also gave them the means to mount sabotage operations against infected ICS computers.”
So far, the group has been concentrating on gaining access to these systems for spying purposes.
“In addition to compromising ICS software, Dragonfly has used spam email campaigns and watering hole attacks to infect targeted organizations,” they noted. “The group has used two main malware tools: Backdoor.Oldrea and Trojan.Karagany. The former appears to be a custom piece of malware, either written by or for the attackers.”
The Oldrea backdoor is also known as Havex. Both malware families allow attackers to gain backdoor access to the infected systems, as well as to exfitrate confidential data and download and install additional malware.
Another indication that the group is likely state-sponsored comes from an analysis of the compilation timestamps on the malware used by the attackers, which shows that they mostly worked during “a nine-hour period that corresponded to a 9am to 6pm working day in the UTC +4 time zone.”
The researchers also confirmed that three of the compromised websites that were made to serve trojanized version of the company’s legitimate software belonged ICS equipment providers. In one case, the Trojanized software was available for download for at least six weeks, possibly even more.
“The Dragonfly group is technically adept and able to think strategically. Given the size of some of its targets, the group found a ‘soft underbelly’ by compromising their suppliers, which are invariably smaller, less protected companies,” the researchers commented this approach.