Dragonflies are known to be agile in movement and predatory in behaviour – and this appears to appropriately sum up the group of hackers that is reportedly behind activities targeting the power sectors in Europe and North America.
According to security organisation Symantec, which has revealed the details of these activities, the group behind the cyber attacks – known as Dragonfly, or also previously by some as Energetic Bear – has been in operation since at least 2011. And it has re-emerged over the past two years from a quiet period following its earlier exposure in 2014.
This so-called ‘Dragonfly 2.0’ campaign appears to have begun in late 2015, and shares tactics and tools used in earlier campaigns by the group, says Symantec. A distinct increase in activity has been identified in 2017.
Cyber attacks on the increase
Evidence has been emerging on the growing interest of the power sector to cyber attackers. Notably the Crashoverride malware which was used in the attack in the Ukraine in 2016, in which thousands of people were left without power for hours, is believed to be the first specifically targeted to the power sector.
In its 2014 commentary on Dragonfly, Symantec said that targets had included energy grid operators, major electricity generation firms, petroleum pipeline operators and energy industry industrial equipment providers. The majority of the victims were located in the US, Spain, France, Italy, Germany, Turkey and Poland.
Symantec also commented that the group was well resourced, with a range of malware tools at its disposal and was capable of launching attacks through a number of different vectors.
Now Symantec says in its lengthy blog post it believes that the original Dragonfly campaigns were an exploratory phase where the attackers were simply trying to gain access to the networks of targeted organisations.
In the latest campaigns, the attackers appear to be entering into a new phase, in which they are interested in both learning how energy facilities operate as well as gaining access to operational systems themselves. This would potentially give them the ability to sabotage or gain control of these systems, with the obvious disruptions that could ensue.
As previously, a variety of infection vectors are being used, including phishing emails as well as watering hole attacks and Trojanised software.
For example, the earliest activity identified by Symantec in this renewed campaign was a malicious email campaign that sent emails disguised as an invitation to a New Year’s Eve party to targets in the energy sector in December 2015.
The main but not exclusive focus now appears to be on organisations in the US, Turkey and Switzerland.
In the 2014 commentary Symantec said that Dragonfly bore the hallmarks of a state-sponsored operation and suggested that most likely the attackers were based in Eastern Europe.
In the latest commentary, Symantec mentions the presence of code strings in both Russian and French but does not offer an origin. Due to conflicting evidence and what appears attempts at misattribution, the location of the group and who is behind it is “difficult to definitively state”.
Energetic Bear was previously suggested by security company CrowdStrike to be of Russian origin but for example, Kaspersky Labs – which also renamed it Crouching Yeti – felt its origin was indeterminate at that time.
Cyber protection for utilities
This disclosure of these Dragonfly activities once again highlights the severity of the threat facing the energy sector when it comes to security and the need for effective defences.
One part of the solution lies in having an end to end cybersecurity solution in place.
The other part less widely mentioned involves the application of some of the common sense rules and best practices that are applicable across sectors in any day to day ‘connected’ situation.
Among these are not opening email attachments from unknown sources, using longer passwords, not reusing the same passwords on multiple websites and not sharing passwords with others.
Symantec recommends that important passwords, such as those with high privileges, should be at least 8-10 characters long, and preferably longer, and include a mixture of letters and numbers.
Another recommendation is simply having a good understanding of the tools, techniques, and procedures that hackers are using. Armed with information on their motivation and capabilities should allow “more timely and effective decisions in proactively safeguarding the environment from these threats”.