Russian-Based Dragonfly Group Attacks Energy Industry

Ten Rules for the Cyber Incident Responder

I remember being at a security conference a few years ago, and one of the speakers said that, in his opinion, cyber war will focus on utilities – water supplies, power plants, the energy infrastructure. The comments came shortly after the Stuxnet revelations.

Said in a room filled with security professionals and security journalists, the comments were taken seriously – I don’t think there was a person who would have disagreed with the statement – but other than a few news stories filed immediately, the thoughts of cyber war and the threat to utilities has been relegated to the back burner while more immediate security concerns garnered the headlines.

That’s now changed with the news about a group known as Dragonfly, which has been on the attack against the energy industry in the United States and countries in Western Europe. As Tom Cross, director of security research of Lancope, stated in an email to me:

This is an attack that is directly targeted at western industrial control systems and is suspected to be of Russian origin. Although we don’t know the motive behind these attacks, the purpose of controlling these systems may be to disable them at some point in the future. Russia has used cyberattacks in conjunction with conventional warfare in the past, such as the 2008 conflict between Russia and Georgia. Therefore, it is alarming to hear that a malware variant suspected of having Russian origin has been directly targeted at industrial infrastructure.

It’s especially alarming in light of the current state of world affairs, but this has nothing to do with what’s happening today. According to an eSecurity Planet article, Dragonfly has been operating at least since 2011. The article goes on to state:

It began by targeting defense and aviation companies in the U.S. and Canada, but shifted its focus to U.S. and European energy firms in early 2013. That campaign started in February 2013 with spear phishing emails delivering malware, then expanded in the summer of 2013 to include watering hole attacks that redirected visitors to energy industry-related websites to a site hosting an exploit kit.

 

The third phase of the campaign was the infection of legitimate software from three different ICS [industrial control system] equipment manufacturers. In one case, the compromised software was downloaded 250 times before it was discovered.

And we may not have seen the worst of it, according to Top Tech News, citing the Symantec researchers who were among the first to discover Dragonfly’s actions:

“The group is able to mount attacks through multiple vectors and compromise numerous third-party Web sites in the process,” Symantec said. “Dragonfly has targeted multiple organizations in the energy sector over a long period of time. Its current main motive appears to be cyberespionage, with potential for sabotage a definite secondary capability.”

Right now, we know that the energy industry is targeted, but in a Dark Reading article, Sean Sullivan, a security adviser at F-Secure, warns that energy may not be the sole target:

“This is a very broad-based” campaign to cripple adversaries, including via manufacturers that supply their armies with food and other crucial items.

How this plays out remains to be seen. Is it cyber war? I don’t know that, either, but I do know that we were warned that the threat against utilities like the energy industry was coming. Little did we know that while we were getting that warning, the threats were already taking place.