Operation Dragonfly Documents Russian Attacks On Industrial Systems


Attackers have successfully gained access to the systems running power generation stations, those that support petroleum pipeline operations and other energy sector systems in seven countries including the U.S., according to a new report from Symantec. The company has documented an extensive cyberespionage campaign that may have been powerful enough to sabotage operations at those facilities.

What troubles security industry experts the most is a technique used by those behind the campaign to compromise the supervisory control and data acquisition (SCADA) software used at many critical infrastructure facilities to monitor and control subtle industrial processes. Alerts in recent months have been issued to the operators of all industrial systems, including their contractors, such as consultants and managed service providers that provide IT management and remote network monitoring at many of the facilities.

The campaign Symantec calls Dragonfly is akin to Stuxnet, the powerful Trojan unleashed in 2010 to disrupt the Siemens industrial control system running Iran's nuclear energy program. Dragonfly has been used to spy on energy sector organizations, but attackers also gained access to the systems management software at many of the facilities, enabling them to disrupt critical processes, Symantec said. The group behind Dragonfly began operating in 2011 and infiltrated energy sector businesses in the U.S., Spain, France, Italy, Germany, Turkey and Poland, infecting the software of several industrial control systems manufacturers using a remote access Trojan. 

[Related: DHS Sharing Classified Threat Information With Service Providers]

Symantec said it identified seven organizations targeted in spearphishing attacks from February 2013 to June 2013. The targeted campaign also included watering-hole attacks, redirecting victims to legitimate websites were the criminals set up an attack platform to infect visitors.  Later, the group targeted the industrial control systems software to infiltrate organizations that downloaded software updates.

"Dragonfly bears the hallmarks of a state-sponsored operation, displaying a high degree of technical capability," Symantec said in its report. "Dragonfly has targeted multiple organizations in the energy sector over a long period of time. Its current main motive appears to be cyberespionage, with potential for sabotage a definite secondary capability."

Information about the attacks was also released last week by Finnish antivirus vendor F-Secure, which said it identified attacks that compromised remote monitoring software for industrial control systems and software that controls high-precision industrial cameras used in energy sector facilities. F-Secure uncovered 88 variants of a remote access Trojan called Havex and identified more than 100 command-and-control servers supporting the operation.

NEXT: Department Of Homeland Security Alert Impacts Service Providers