The Dragonfly hacking group is back – or should we say it probably never went away – and is still interested in penetrating the networks of European and US companies in the energy sector.
Even worse, their efforts have been very successful, and they have repeatedly managed to get access to these companies’ operational systems, making it possible for them to interfere with power grid operations.
Symantec researchers believe that the group involved in these compromises is the same one they and other security companies flagged in 2014, and believed to be based in Russia or Eastern Europe and probably state-sponsored.
This time around, code in the analyzed malware contains strings in both the Russian and French language, making the researchers believe that one of these languages may be a false flag.
The group’s use of generally available malware and legitimate software (administration tools) appears to be aimed at making it difficult to determine who the attacks. They also don’t use zero-day exploits, perhaps for the same reason. Still, they use some custom malware that has been previously used in the first Dragonfly campaigns.
“The original Dragonfly campaigns now appear to have been a more exploratory phase where the attackers were simply trying to gain access to the networks of targeted organizations. The Dragonfly 2.0 campaigns show how the attackers may be entering into a new phase, with recent campaigns potentially providing them with access to operational systems, access that could be used for more disruptive purposes in future,” the researchers noted.
“The most concerning evidence of this is in their use of screen captures. In one particular instance the attackers used a clear format for naming the screen capture files, [machine description and location].[organization name]. The string ‘cntrl’ (control) is used in many of the machine descriptions, possibly indicating that these machines have access to operational systems.”
As in the original Dragonfly campaigns, initial infection vectors used by the group are phishing emails, Trojanized software, and watering hole attacks. Typically, the attackers will install one or two backdoors onto victim computers to give them remote access and allow them to install additional tools if necessary.
“Dragonfly is a highly experienced threat actor, capable of compromising numerous organizations, stealing information, and gaining access to key systems. What it plans to do with all this intelligence has yet to become clear, but its capabilities do extend to materially disrupting targeted organizations should it choose to do so,” the researchers noted.
Protection and disruption
Dragonfly relies heavily on stolen credentials to compromise a network. All the usual advice regarding passwords applies: make them long, complex, don’t reuse them, and consider changing them when it seems possible or likely that they’ve been compromised.
“Delete unused credentials and profiles and limit the number of administrative-level profiles created. Employ two-factor authentication to provide an additional layer of security, preventing any stolen credentials from being used by attackers,” Symantec advises.
Data at rest and in transit should be encrypted, employees should be educated about phishing emails, defense-in-depth should be applied, and so should SMB egress traffic filtering on perimeter devices to prevent SMB traffic leaving the network.
“What’s interesting here, is the relatively unsophisticated methods the hacking group has used. Usually with SCADA, the tactic of choice is to exploit zero-day vulnerabilities. In this case though, they’ve chosen to go for the older, but most effective methods of phishing and watering holes to get in. Of course, once the attackers are in they would then still carry out exploits. But phishing is an effective first stage,” noted Leigh Ann Galloway, Cyber Security Resilience Lead, Positive Technologies.
“As old as these techniques might be, this blunt instrument is proved as effective as ever, relying on the age-old ally of cyber criminals: human fallibility. These hackers have bet that – in spite of the critical importance of the systems – the people using them don’t have the security wherewithal to think before clicking on a link or opening an attachment. And in this case, they were right. In SCADA networks the implications are life threatening, to personnel and the general public and attackers could cause a short circuit disrupting safety mechanisms, or cause a complete outage.”