Threat Management, Malware, Phishing, Threat Management

Core router compromised in DragonFly 2.0 attacks on critical infrastructure


Cylance researchers say a core router was compromised in cyberattacks against energy, nuclear, commercial facilities, water, aviation, and critical manufacturing sectors that the U.S. has accused Russia of carrying out.

Cylance researchers said the discovery's significance far outweighs its size, given that core router compromises are considerably harder to detect, analyze, patch, and remediate than compromises of PCs, according to a March 16 blog post.

On March 15, The Department of Homeland Security (DHS) and the Federal Bureau of Investigation (FBI) took the unusual step of issuing an alert fingering the Russian government for targeting U.S. critical infrastructure with cyberattacks.

The U.S. agencies  unveiled a "multi-stage intrusion campaign by Russian government cyber actors who targeted small commercial facilities' networks where they staged malware, conducted spear phishing, and gained remote access into energy sector networks,” the alert said. Once they obtained access, “the Russian government cyber actors conducted network reconnaissance, moved laterally, and collected information pertaining to Industrial Control Systems (ICS)." 

This was the first times the U.S. government has publicly attributed these sort of attacks to the Russians.

Cylance researchers said the targeting of this infrastructure is a serious and worrisome discovery because once exploited, vulnerabilities in core infrastructure such as routers are not easily closed or remediated.

Although the compromising of routing infrastructure for collection or command and control purposes is not new, researchers said detection of it is relatively rare because router compromise is very likely to implicate the router's firmware and there aren't as many tools available to the forensic investigator to investigate them.

The threat actors behind the attacks, also known as DragonFly, Energetic Bear, Crouching Yeti, DYMALLOY, and Group 24, were initially exposed in 2013 and 2014 but went dark for nearly a year after its threat actor's operations

In 2015, the group resurfaced in a series of attacks targeting nuclear and energy firms in other countries, possibly including Ireland and Turkey, before setting their sights on the U.S., researchers said.

“We observed a phishing operation which targeted energy sector organizations in the UK,” researchers said in the post. “The attacks began using two phishing documents in a manner similar to that in incidents on which previously reports have focused – all of which relied on the Redirect to SMB feature of Windows.”

While the end goals of the campaign remain unclear, researchers said their very existence across an array of power companies in several countries should be of great concern to governments, the companies themselves, and all those who rely upon their critical services.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.