Symantec has warned of a new attack campaign targeting energy firms, which may have already given the hackers access to operational systems in the US and Europe.
The security giant claimed the Dragonfly threat group is behind the new round of attacks, ongoing since December 2015.
Organizations in the US, Turkey and Switzerland were identified as targets for a range of tools and techniques including malicious emails, watering hole attacks and trojanized software.
Emails with content specific to the energy sector were designed to socially engineer the recipients into opening a malicious attachment. If opened, they would steal the victims' network credentials.
Watering hole attacks were also used to harvest credentials, with the hackers booby-trapping sites likely to be visited by energy sector workers.
The stolen credentials were then typically used in follow-on attacks designed to install backdoors to provide remote access and give the hackers the option of installing additional tools.
“In one instance, after a victim visited one of the compromised servers, Backdoor.Goodor was installed on their machine via PowerShell 11 days later. Backdoor.Goodor provides the attackers with remote access to the victim’s machine,” explained Symantec in a blog post.
“In the 2016 and 2017 campaigns the group is using the evasion framework Shellter in order to develop trojanized applications. In particular, Backdoor.Dorshel was delivered as a Trojanized version of standard Windows applications.”
Symantec claimed that Heriplor and Karagany trojans were both used by Dragonfly in pre-2015 campaigns. The former is not available on the black market at all, it said.
The vendor described Dragonfly as “accomplished” and “highly focused”; using no zero-days but instead generally available malware and admin tools, possibly to thwart attribution. Some code is written in Russian and French, although one of these could be a false flag, Symantec warned.
“The most concerning evidence of this is in their use of screen captures. In one particular instance the attackers used a clear format for naming the screen capture files, [machine description and location].[organization name],” the firm wrote.
“The string ‘cntrl’ (control) is used in many of the machine descriptions, possibly indicating that these machines have access to operational systems.”
It’s unclear whether the group actually does have the ability to shut down or interfere with CNI facilities, although precedents for such have been set, in the Ukraine in 2015 and 2016, while there’s evidence the US authorities have been monitoring attempts to target nuclear plants.
Ken Spinner, VP of field engineering at Varonis, argued that critical infrastructure firms often rely on outdated security.
“APTs will try to remain undetected as long as possible to do the most damage. Attackers will often establish numerous footholds within a network and attempt to remain undetected while mapping systems and locating key documents, emails, and user accounts,” he explained.
“We’ve seen malware impact energy systems dating as far back as 2003, when the Microsoft SQL Server Worm, Slammer, infected an Ohio-based nuclear power plant network in 2003, causing a temporary outage. The key difference today is that attackers are equipped with far more sophisticated malware that is designed specifically to infiltrate and damage things like electricity substation switches and circuit breakers.”