Operation Dragonfly Documents Russian Attacks On Industrial Systems


The attacks have prompted the Industrial Control Systems Cyber Emergency Response Team to issue an alert, warning that the malware has the capability to cause some platforms to crash. The functionality could disrupt an open standard communication protocol used to connect industrial automation and process control devices and applications, the ICS-CERT said.

"ICS-CERT strongly recommends that organizations check their network logs for activity associated with this campaign," the organization said in its alert. "Any organization experiencing activity related to this report should preserve available evidence for forensic analysis and future law enforcement purposes."

The ICS-CERT was created by the Department of Homeland Security and communicates threat information to public and private sector owners of critical infrastructure facilities. It also provides malware and vulnerability analysis and supports forensics investigations. CRN reported Monday that DHS officials are sharing classified information with trusted managed security services providers. The government agency is expanding its threat intelligence sharing program to more managed security services providers to speed up the process of disseminating information. Targeted cyberattack campaigns also impact small and midsize businesses, which rely on service providers to augment limited IT resources. 

The Dragonfly operators are believed to be located in Eastern Europe, according to Symantec, which cited the timing of the operations and the timestamp on the malware analyzed in the campaign as evidence of the origin of the attacks. The same campaign was also uncovered by Irvine Calif.-based CrowdStrike, which identified attacks in 23 countries in a report issued in January that ties the campaign it calls Energetic Bear to attackers with Russia-based interests.

"Other data supporting a Russia-based adversary are observed in timing data related to these activities that aligns neatly with Russian working hours," Crowdstrike said in its report.

The group is well-funded and has an arsenal of sophisticated malware to launch attacks, Symantec said, adding that the group opens a backdoor into Windows systems and contains functionality to steal passwords, take screenshots and documents from infected systems.

The latest attack documented by Symantec was against a manufacturer of industrial control systems software that operates wind turbines, biogas plants on farms and energy infrastructure. The compromised software was available for 10 days in April.

A manufacturer of VPN access software for programmable logic controller devices used in industrial control systems discovered its software was corrupted by the attackers and quickly removed it from production. But Symantec said there had already been 250 unique downloads of the compromised software in 2013. A European manufacturer of programmable logic controller devices discovered a compromised driver in one of its software packages.That software was available for download for six weeks in 2013, Symantec said.

PUBLISHED JULY 1, 2014