Published on September 9th, 2017 | 1,380 views
Dragonfly 2.0: the sophisticated attack group is back with destructive purposes
While the first Dragonfly campaigns appear to have been a more reconnaissance phase, the Dragonfly 2.0 campaign seems to have destructive purposes.
Symantec has spotted a new wave of cyber attacks against firms in the energy sector powered by the notorious Dragonfly group.
The Dragonfly group, also known as Energetic Bear, has been active since at least 2011 when it targeted defense and aviation companies in the US and Canada. Only in a second phase Dragonfly has focused its effort on US and European energy firms in early 2013.
In 2014, security experts at Symantec uncovered a new campaign targeting organizations located in the US, Italy, France, Spain, Germany, Turkey, and Poland.
Dragonfly gang conducted a cyber espionage campaign against energy grid operators, major electricity generation firms, petroleum pipeline operators, and energy industry industrial equipment providers.
According to the JAR report published by the US Department of Homeland Security, Dragonfly was Russian APT actor linked to the Government.
The infamous group remained under the radar since December 2015, but now the researchers pointed out Dragonfly targeted energy companies in Europe and the US.
This time the attackers aimed to control or even sabotage operational systems at energy facilities.
“The Dragonfly group appears to be interested in both learning how energy facilities operate and also gaining access to operational systems themselves, to the extent that the group now potentially has the ability to sabotage or gain control of these systems should it decide to do so,” reads the report published by Symantec.
According to Symantec, the Dragonfly 2.0 campaign begun in late 2015, threat actors used same TTPs of previous campaigns.
“The energy sector in Europe and North America is being targeted by a new wave of cyber attacks that could provide attackers with the means to severely disrupt affected operations. The group behind these attacks is known as Dragonfly.” reads the analysis published by Symantec.”The group has been in operation since at least 2011 but has re-emerged over the past two years from a quiet period following exposure by Symantec and a number of other researchers in 2014. This “Dragonfly 2.0” campaign, which appears to have begun in late 2015, shares tactics and tools used in earlier campaigns by the group.”
Researchers discovered many similarities between earlier Dragonfly campaigns and recent attacks.
The energy sector has become a privileged target for state-sponsored hackers over the last two years, let’s think for example of power outages caused in Ukraine in 2015 and 2016 that were attributed to Russian APT groups.
Symantec believes the group is very advanced, it operates to make hard the attribution of the attacks. Below some of the tactics employed by the hackers:
- The attackers used more generally available malware and “living off the land” tools, such as administration tools like PowerShell, PsExec, and Bitsadmin, which may be part of a strategy to make attribution more difficult. The Phishery toolkit became available on Github in 2016, and a tool used by the group—Screenutil—also appears to use some code from CodeProject.
- The attackers also did not use any zero days. As with the group’s use of publicly available tools, this could be an attempt to deliberately thwart attribution, or it could indicate a lack of resources.
- Some code strings in the malware were in Russian. However, some were also in French, which indicates that one of these languages may be a false flag.
The experts noticed most attacker activity in organizations in the US, Turkey, and Switzerland.
Dragonfly 2.0 continues to use a wide range of attack vectors, from spear phishing messages towatering holes.
In the first attacks spotted by Symantec in December 2015, attackers used emails disguised as an invitation to a New Year’s Eve party.
Other campaigns conducted during 2016 and 2017 used spear phishing messages specifically designed with content related to the energy sector.
Phishing emails spotted by Symantec were created with the Phishery toolkit in the attempt to steal victims’ credentials via a template injection attack.
The attackers also used watering hole attacks to harvest network credentials, they targeted websites likely to be visited by personnel involved in the energy sector.
Symantec reported that at least in one case, the watering hole attack was used to deliver the Goodor backdoor via PowerShell 11 days later.
“Symantec also has evidence to suggest that files masquerading as Flash updates may be used to install maliciousbackdoors onto target networks—perhaps by using social engineering to convince a victim they needed to download an update for their Flash player. Shortly after visiting specific URLs, a file named “install_flash_player.exe” was seen on victim computers, followed shortly by the Trojan.Karagany.B backdoor.” continues the analysis.