Dragonfly malware targeting pharmaceutical companies

Get a copy of the upcoming book "Secure Operations Technology"

The recently revealed Dragonfly (Havex) malware is likely targeting the pharmaceutical sector, not the energy sector as previously believed, according to Belden.

Until now, advanced cyberattacks against industry have focused on the critical energy and chemical sectors. Manufacturing management teams are advised to update their risk assessments and ensure that their cyber security defenses can withstand what are clearly highly coordinated attacks by teams of professional hackers.

Over the past few years, industrial infrastructure has been identified as a key target for hackers and government-sponsored warfare, attracting some of the most sophisticated cyberattacks on record, including Stuxnet, Flame and Duqu. Dragonfly is significant because it is first one of the advanced attacks since Stuxnet to have payloads that target specific ICS components.

Given the importance of that finding, Belden commissioned Joel Langill of RedHat Cyber, a leading independent ICS security expert, to research Dragonfly in more depth. The objective was to understand the Dragonfly campaign in order to provide the best possible advice to customers for defending against advanced malware threats.

Langill’s review of Dragonfly focused on executing the malicious code on systems that reflect real world ICS configurations and observing the malware’s impact. Three main factors led him to believe the target is the intellectual property of pharmaceutical organizations:

1. Out of thousands of possible ICS suppliers, the three companies targeted for trojanized software were not primary suppliers to “energy” facilities. Instead, all three offered products and services most commonly used by the pharmaceutical industry.

2. The Dragonfly attack is very similar in nature to another campaign called Epic Turla and is likely managed by the same team. Epic Turla has been shown to have targeted the intellectual property of pharmaceutical companies.

3. The Dragonfly malware contained an Industrial Protocol Scanner module that searched for devices on TCP ports 44818 (Omron, Rockwell Automation), 102 (Siemens) and 502 (Schneider Electric). These protocols and products have a higher installed base in packaging and manufacturing applications typically found in consumer packaged goods industries, such as pharmaceutical rather than the energy industry.

“My research, coupled with my knowledge of the pharmaceutical industry, led me to conclude that it was the target of Dragonfly,” remarked Langill. “The potential damage could include the theft of proprietary recipes and production batch sequence steps, as well as network and device information that indicate manufacturing plant volumes and capabilities.”