Dragonfly, the threat actor that was recently called out by the United States as an arm of the Russian government, has been observed using a compromised core router as one of its primary tools in attacks against government agencies and critical infrastructure in Western Europe.
According to analysis from Cylance, a core Cisco router relied upon by one of Vietnam’s largest oil rig manufacturers was penetrated by Dragonfly (aka Energetic Bear, Crouching Yeti, DYMALLOY and Group 24) to harvest credentials that were later used to attempt to penetrate a handful of energy companies in the UK last March.
“This is a discovery whose significance far outweighs its size, given that core router compromises are considerably harder to detect, analyze, patch, and remediate than compromises of PCs,” Cylance researchers said.
Cylance also discovered that Dragonfly has been active against targets in the energy, nuclear, commercial facilities, water, aviation and critical manufacturing sectors for longer than what was previously known.
As for the router, Cylance researchers in 2015 observed a phishing operation that targeted energy sector organizations in the UK. The attacks began with two phishing documents, which relied on the “Redirect to SMB” feature built into Windows.
Following the modus operandi of previous attacks, both documents purported to be the Curriculum Vitae of a Jacob Morrison. When an unsuspecting user would open one of the documents, it would fetch a remote template and attempt to automatically authenticate to the malicious SMB server at 123.30.96.18 by providing the victim's encrypted user credentials. That IP address turned out to be an end-of-life Cisco Infrastructure Router belonging to a large state-owned Vietnamese energy conglomerate, further research has revealed. Dragonfly went on to use that core router to harvest phished credentials, including victims' passwords, which were later likely used to compromise the energy sector targets in the UK.
“The use of compromised routing infrastructure for collection or command and control purposes is not new, but its detection is relatively rare,” researchers said. “That’s because the compromise of a router very likely implicates the router’s firmware and there simply aren’t as many tools available to the forensic investigator to investigate them.”
They added, “The fact that the threat actor is using this type of infrastructure is a serious and worrisome discovery, since once exploited, vulnerabilities in core infrastructure like routers are not easily closed or remediated. While the end goals of these campaigns can only be speculated upon, their very existence across an array of power companies in several countries should be of great concern to governments, the companies themselves, and all those who rely upon their critical services.”
Dragonfly’s operations were initially exposed in 2013 and 2014; yet Cylance research has uncovered additional targets from earlier periods, the most notable of which is a large mining and power company in Kazakhstan.
The group’s journey has been significant. In 2014, Cylance observed the actor go dark for a period of about a year, during which time the firm believes the group was actively retooling. Then, in early 2015 – before US nuclear and energy companies became a target – energy companies in other countries were compromised, both in the nuclear and oil industries, including facilities in Ireland and Turkey.
In 2016, Dragonfly shifted to US targets; the US response to its escalating activities culminated earlier this month, when the US government announced new sanctions against what it termed “Russian cyber actors” for interference in the 2016 presidential election and the NotPetya attack. In the course of that announcement, it also said that “Russian government cyber-actors have also targeted US government entities and multiple US critical infrastructure sectors,” including energy and nuclear power companies.