Dragonfly Malware Actively Targeting U.S. Energy Industry

Last week we reported on HAVEX Malware targeting Industrial Control Systems / Supervisory Control And Data Acquisition (ICS/SCADA) devices.  Now more information has come to light that suggests the scope of the hostile action is much larger.  Researchers at Symantec are calling the malware DRAGONFLY while other security researchers are calling it ENERGETIC BEAR.  DRAGONFLY was re-tasked from stealing information from military contractors to locating and compromising the control systems of electrical generation and distribution (grid) as well as petroleum pipeline control and other energy based companies.

The Hostile Actors behind DRAGONFLY are organized with focused targeting using multiple attack vectors.  DRAGONFLY uses the tactic of compromising ICS/SCADA as HAVEX.  Both DRAGONFLY and HAVEX have been found hidden in legitimate software downloads on ICS/SCADA vendor websites. DRAGONFLY has allowed the Hostile Actors to exploit an undisclosed number of energy companies and their networks.  Researchers are  suggesting that DRAGONFLY has been operation since 2011 or even longer.  This could have allowed the Hostile Actors the time necessary to gain more than just a foot hold into critical infrastructure.

The sophisticated nature of this operation suggests this is a state sponsored cyber attack against critical infrastructure.  The responsible actors have had years to exfiltrate information and develop persistent access.  The mixture of private and public ownership of utilities in North America means there is no common ICS/SCADA and computer system used across all utilities.  This makes the job of conducting an attack on the utility systems more difficult and results in the necessity for operations like DRAGONFLY in order to gather information and develop an attack plan.

Post by Protocol 46