"The Dragonfly group appears to be interested in both learning how energy facilities operate and also gaining access to operational systems themselves," warns Symantec.
"The Dragonfly group appears to be interested in both learning how energy facilities operate and also gaining access to operational systems themselves," warns Symantec.

An APT group fixated on infiltrating energy facilities in North America and Europe has turned up the juice lately on its operations, possibly signaling a shift from intelligence gathering to industrial sabotage, a new blog post warns.

The report, from Symantec Corporation, comes two months after the FBI and Department of Homeland Security (DHS) reportedly warned utility companies of foreign hackers breaching computer networks at U.S. power plants. Although the alert suggested that it was primarily administrative and business systems that were breached, Symantec believes that operational systems could be compromised as well.

"Symantec has seen machines that are in operational networks that have been compromised," Eric Chien, technical director at Symantec, told SC Media in an interview. "The example behavior we have seen thus far on those machines is taking screenshots."

Indeed, Symantec has taken notice of the APT group's use of the string “cntrl” (control) in its naming convention for screen captures of infected machines. Symantec theorizes that "cntrl" in this instance could indicate that these particular infected machines have access to operational systems. If so, then the APT actors could very well have the ability to take over and disrupt these systems.

Chien confirmed that the targets include "organizations and facilities responsible for power generation, transmission, and distribution," with some specializing in traditional energy and others in nuclear energy. While many of these facilities, for security reasons, don't connect their operational systems to the internet, they nevertheless can still be penetrated by first breaching the administrative network, he explained.

The APT group, dubbed Dragonfly or Energetic Bear, is commonly linked to Russia. Symantec reports that the hackers first struck in 2011, but their operations eventually tapered off, until a second campaign commenced in 2015. Dragonfly's malicious activity has only grown more aggressive in 2017, with silent attacks on facilities in at least the U.S., Switzerland and Turkey since the "Dragonfly 2.0" campaign began. (A recent Cisco Talos report has also linked the group with hacks on Irish power facilities.)

Symantec notes that the original Dragonfly campaign also targeted the U.S. and Turkey. But that's not where the similarities end: Both past and present Dragonfly operations share key malware programs that are unique to the ATP group, and utilize the same infection vectors to access victims' networks, including spear phishing emails, trojanized software and compromised websites (aka watering holes).

"The Dragonfly group appears to be interested in both learning how energy facilities operate and also gaining access to operational systems themselves, to the extent that the group now potentially has the ability to sabotage or gain control of these systems should it decide to do so," the report states.

"The notion that there may be nation-state or rogue actors who have been resident in the networks of nuclear facilities, electrical grids, and dams isn't far-fetched. Many of these infrastructure providers are relying on outdated security systems with limited detection capabilities," said Ken Spinner, VP of field engineering at data security company Varonis Systems, in emailed comments. "We got a glimpse of what's possible when the Ukraine's power grid was partially disrupted in 2015 and again in 2016," he added, referring to the BlackEnergy attacks that were widely attributed to Russia.

And while malware attacks have targeted the energy sector for years, "The key difference today is that attackers are equipped with far more sophisticated malware that is designed specifically to infiltrate and damage things like electricity substation switches and circuit breakers," Spinner warned.

Symantec reports that the earliest Dragonfly 2.0 attack it observed was a December 2015 malspam campaign that sent energy sector workers what appeared to be email invitations to a New Year's Eve party. This was followed by additional phishing emails featuring content related to the energy industry and general business. 

Victims of these campaigns were infected with malware that would leak their network credentials to an external server. In other instances, the attackers harvested credentials by employing a template injection attack, using malicious phishing attachments to download a template file via an SMB connection (as described in the aforementioned Cisco Talos report).

As with prior campaigns, Dragonfly continues to compromise legitimate software to infect victims, currently using the evasion framework Shellter develop trojanized applications, Symantec reports. And the group also appears to be compromising websites to deliver malicious backdoors posing as Flash updates.

The malware families associated with Dragonfly include the backdoors Goodor and Dorshel; the trojans Karagany, Karagany.B, Heriplor, and Listrix; and the Phishery toolkit. Of these, Heriplor is exclusive to Dragonfly, further proving the group is behind both the current and older wave of attacks against energy companies, Symantec asserts.

“What's interesting here is the relatively unsophisticated methods the hacking group has used," said Leigh-Anne Galloway, cyber security resilience officer at vulnerability and compliance management company Positive Technologies, in emailed comments. "These hackers have bet that, in spite of the critical importance of the systems, the people using them don't have the security wherewithal to think before clicking on a link or opening an attachment... The implications are life threatening to personnel and the general public, and attackers could cause a short circuit disrupting safety mechanisms, or cause a complete outage.”

"Attributes of this attack are similar to those perpetrated by nation-states with deep pockets and long-term goals," said Josh Douglas, chief strategy officer with cybersecurity and government defense contractor Cyber Services at Raytheon. "Reports show that in addition to using open-source software and common means of attack, the aggressors deployed one proprietary piece of malware designed to give an attacker remote access to a victim's machine. That indicates they have invested strongly in their capabilities – some of which we have yet to see – and that we may not yet know the full extent of this attack.”

Meanwhile, the IBM Managed Security Services team on Thursday published its own blog post detailing increasing attacks launched against the energy sector. According to IBM, attacks targeting industrial controls systems increased by more than 110 percent in 2016. And based on data from the first half of 2017, the volume of attacks in 2017 are expected to exceed last year's totals.

IBM also observed that the top attack method leveraged against its energy and utilities clients was the use of malicious input data, for the purpose of controlling or disrupting a system. Such attacks targeted 60 percent of its clients in this sector.