Over two dozen US and European energy companies and utility providers have been infiltrated by nation-state hackers as part of a cyber espionage campaign. A warning was issued today alerting the companies against the Dragonfly attack group, also known as Energetic Bear and Crouching Yeti. The group has reportedly infiltrated the control systems of energy supply systems.
Dragonfly is a known attack group that has been active since 2010. Going dark in 2014 after exposure, the security researchers at Symantec have now revealed that the cyber espionage group is active again. The group now being called Dragonfly 2.0 deployed phishing attacks and malware to infect energy companies.
"The Dragonfly group appears to be interested in both learning how energy facilities operate and also gaining access to operational systems themselves, to the extent that the group now potentially has the ability to sabotage or gain control of these systems should it decide to do so.
"Sabotaging of the operations of energy providers would cause great disruption to large numbers of people, as was seen with the compromise of Ukraine's power system in 2015 and 2016. The impact of an attack against an atomic energy provider could potentially be a lot worse."
Earlier in July, the FBI, DHS, and then GCHQ issued a report warning manufacturing plants and nuclear power stations in the US and UK of attacks that may have been launched by Dragonfly. The US Department of Energy had then clarified that only administrative networks were impacted and not the control units. It is expected that the control systems may now have been infected too.
Dragonfly 2.0 - how the group infiltrated a number of energy companies worldwide
Following 2014 exposure, the new attack began in December 2015 with an invitation to a New Year Eve party that was sent to targets in the energy sector. This was followed by more malicious emails distributed throughout 2016 and then 2017. Emails were disguised to look like job applications or invitations to relevant events. Once the target opens these attachments, the malware dropped trojans to steal victims' credentials.
"We have also found evidence that trojanized software packages were also used, like files masquerading as Flash updates which would install malicious backdoors onto target networks - a likely tactic would be to use social engineering to convince a victim they needed to download an update for their Flash player," Symantec's Candid Wuest said.
The Dragonfly group also launched attacks to compromise websites that are likely visited by those working in the nuclear and energy sector. "The Dragonfly group compromised strategic websites related to the energy sector and planted their malware on the website, and did not use any zero day vulnerabilities in order to infect computers," he wrote.
The cyber espionage group has infected a number of organizations, including 20 in the US, 6 in Turkey, and one in Switzerland. It is unclear who this group is connected with, but Symantec said "this is clearly an accomplished attack group" putting effort into making it difficult for cybersecurity experts to identify them.