Operation Dragonfly Documents Russian Attacks On Industrial Systems

Attackers have successfully gained access to the systems running power generation stations, those that support petroleum pipeline operations and other energy sector systems in seven countries including the U.S., according to a new report from Symantec. The company has documented an extensive cyberespionage campaign that may have been powerful enough to sabotage operations at those facilities.

What troubles security industry experts the most is a technique used by those behind the campaign to compromise the supervisory control and data acquisition (SCADA) software used at many critical infrastructure facilities to monitor and control subtle industrial processes. Alerts in recent months have been issued to the operators of all industrial systems, including their contractors, such as consultants and managed service providers that provide IT management and remote network monitoring at many of the facilities.

The campaign Symantec calls Dragonfly is akin to Stuxnet, the powerful Trojan unleashed in 2010 to disrupt the Siemens industrial control system running Iran's nuclear energy program. Dragonfly has been used to spy on energy sector organizations, but attackers also gained access to the systems management software at many of the facilities, enabling them to disrupt critical processes, Symantec said. The group behind Dragonfly began operating in 2011 and infiltrated energy sector businesses in the U.S., Spain, France, Italy, Germany, Turkey and Poland, infecting the software of several industrial control systems manufacturers using a remote access Trojan.

[Related: DHS Sharing Classified Threat Information With Service Providers ]

Sponsored post

Symantec said it identified seven organizations targeted in spearphishing attacks from February 2013 to June 2013. The targeted campaign also included watering-hole attacks, redirecting victims to legitimate websites were the criminals set up an attack platform to infect visitors. Later, the group targeted the industrial control systems software to infiltrate organizations that downloaded software updates.

"Dragonfly bears the hallmarks of a state-sponsored operation, displaying a high degree of technical capability," Symantec said in its report. "Dragonfly has targeted multiple organizations in the energy sector over a long period of time. Its current main motive appears to be cyberespionage, with potential for sabotage a definite secondary capability."

Information about the attacks was also released last week by Finnish antivirus vendor F-Secure, which said it identified attacks that compromised remote monitoring software for industrial control systems and software that controls high-precision industrial cameras used in energy sector facilities. F-Secure uncovered 88 variants of a remote access Trojan called Havex and identified more than 100 command-and-control servers supporting the operation.

NEXT: Department Of Homeland Security Alert Impacts Service Providers

The attacks have prompted the Industrial Control Systems Cyber Emergency Response Team to issue an alert, warning that the malware has the capability to cause some platforms to crash. The functionality could disrupt an open standard communication protocol used to connect industrial automation and process control devices and applications, the ICS-CERT said.

"ICS-CERT strongly recommends that organizations check their network logs for activity associated with this campaign," the organization said in its alert. "Any organization experiencing activity related to this report should preserve available evidence for forensic analysis and future law enforcement purposes."

The ICS-CERT was created by the Department of Homeland Security and communicates threat information to public and private sector owners of critical infrastructure facilities. It also provides malware and vulnerability analysis and supports forensics investigations. CRN reported Monday that DHS officials are sharing classified information with trusted managed security services providers. The government agency is expanding its threat intelligence sharing program to more managed security services providers to speed up the process of disseminating information. Targeted cyberattack campaigns also impact small and midsize businesses, which rely on service providers to augment limited IT resources.

The Dragonfly operators are believed to be located in Eastern Europe, according to Symantec, which cited the timing of the operations and the timestamp on the malware analyzed in the campaign as evidence of the origin of the attacks. The same campaign was also uncovered by Irvine Calif.-based CrowdStrike, which identified attacks in 23 countries in a report issued in January that ties the campaign it calls Energetic Bear to attackers with Russia-based interests.

"Other data supporting a Russia-based adversary are observed in timing data related to these activities that aligns neatly with Russian working hours," Crowdstrike said in its report.

The group is well-funded and has an arsenal of sophisticated malware to launch attacks, Symantec said, adding that the group opens a backdoor into Windows systems and contains functionality to steal passwords, take screenshots and documents from infected systems.

The latest attack documented by Symantec was against a manufacturer of industrial control systems software that operates wind turbines, biogas plants on farms and energy infrastructure. The compromised software was available for 10 days in April.

A manufacturer of VPN access software for programmable logic controller devices used in industrial control systems discovered its software was corrupted by the attackers and quickly removed it from production. But Symantec said there had already been 250 unique downloads of the compromised software in 2013. A European manufacturer of programmable logic controller devices discovered a compromised driver in one of its software packages.That software was available for download for six weeks in 2013, Symantec said.