An ongoing cyber-espionage campaign against a range of targets, mainly in the energy sector of Western countries, is still being carried out by a group known as Energetic Bear, a.k.a. Dragonfly. The crew, likely based in Eastern Europe, has recently managed to compromise a number of strategically important organizations for spying purposes and, if they had used the sabotage capabilities open to them, could have caused damage or disruption to energy supplies in affected countries.
According to Symantec, the targets are energy grid operators, major electricity generation firms, petroleum pipeline operators, and energy industry industrial equipment providers, located in the US, Spain, France, Italy, Germany, Turkey and Poland.
As with many cyber attacks on the energy sector, the vector point for this is industrial control systems (ICS).
“The Dragonfly group is well resourced, with a range of malware tools at its disposal and is capable of launching attacks through a number of different vectors,” Symantec noted in a blog. “Its most ambitious attack campaign saw it compromise a number of ICS equipment providers, infecting their software with a remote access-type Trojan. This caused companies to install the malware when downloading software updates for computers running ICS equipment. These infections not only gave the attackers a beachhead in the targeted organizations’ networks, but also gave them the means to mount sabotage operations against infected ICS computers.”
In addition to compromising ICS software, Dragonfly has used spam email campaigns and watering hole attacks to infect targeted organizations with two main malware tools: a custom piece of malware written by or for the attackers called a Oldrea, and a trojan known as Karagany. Both are remote access tool (RAT)-type malware that provide the attackers with access and control of compromised computers.
Oldrea acts as a back door for the attackers on to the victim’s computer, allowing them to extract data and install further malware. Once installed on a victim’s computer, it gathers system information, along with lists of files, programs installed and roots of available drives. It will also extract data from the computer’s Outlook address book and VPN configuration files. This data is then written to a temporary file in an encrypted format before being sent to a remote command-and-control (C&C) server controlled by the attackers.
Unlike Oldrea, Karagany is available on the underground market – though Symantec believes that Dragonfly may have taken this source code and modified it for its own use. The perpetrators are using it in about 5% of the infections.
Karagany is capable of uploading stolen data, downloading new files, and running executable files on an infected computer. It is also capable of running additional plugins, such as tools for collecting passwords, taking screenshots and cataloging documents on infected computers.
“This campaign follows in the footsteps of Stuxnet, which was the first known major malware campaign to target ICS systems,” Symantec said. “While Stuxnet was narrowly targeted at the Iranian nuclear program and had sabotage as its primary goal, Dragonfly appears to have a much broader focus with espionage and persistent access as its current objective with sabotage as an optional capability if required.”
Energetic Bear has the hallmarks of a state-sponsored operation, displaying a high degree of technical capability, and it appears to have been in operation since at least 2011. It may have been active even longer than that. The group initially targeted defense and aviation companies in the US and Canada before shifting its focus mainly to US and European energy firms in early 2013.
“The campaign against the European and American energy sector quickly expanded in scope,” Symantec said. “The group initially began sending malware in phishing emails to personnel in target firms. Later, the group added watering hole attacks to its offensive, compromising websites likely to be visited by those working in energy in order to redirect them to websites hosting an exploit kit. The exploit kit in turn delivered malware to the victim’s computer. The third phase of the campaign was the Trojanizing of legitimate software bundles belonging to three different ICS equipment manufacturers.”
Dragonfly has targeted multiple organizations in the energy sector over a long period of time. Its current primary motive appears to be cyberespionage, with potential for sabotage a definite secondary capability.
“The Dragonfly group is technically adept and able to think strategically,” Symantec said. “Given the size of some of its targets, the group found a ‘soft underbelly’ by compromising their suppliers, which are invariably smaller, less protected companies.”
Symantec said that it has notified affected victims and relevant national authorities, such as Computer Emergency Response Teams (CERTs) that handle and respond to Internet security incidents.