Hacker group ‘Dragonfly’ targeting U.S., EU energy sector

Market news |
By Rich Pell

The group behind these attacks – known as Dragonfly – has been in operation since at least 2011 but has re-emerged over the past two years, says Symantec, with a distinct increase in activity in 2017. The latest campaign, called “Dragonfly 2.0,” appears to have begun in late 2015 and shares tactics used by the group in earlier campaigns, including malicious emails, watering hole attacks, and Trojanized software.

The group appears interested in learning how energy facilities operate and also in gaining access to operational systems. If successful, warns Symantec, it “potentially has the ability to sabotage or gain control of these systems should it decide to do so.”

The earliest activity in the latest campaign identified by Symantec was a malicious email campaign sent to targets in the energy sector in December 2015. Once opened, an attached malicious document would attempt to leak victims’ network credentials to a server outside of the targeted organization.

Similar malicious emails were sent during 2016 and into 2017. For example, according to Reuters, in June the U.S. government warned industrial firms about a hacking campaign targeting the nuclear and energy sectors, which involved phishing emails designed to harvest credentials in order to gain access to targeted networks.

In addition to sending malicious emails, says Symantec, the group also used watering hole attacks to harvest network credentials by compromising websites that were likely to be visited by those involved in the energy sector. The stolen credentials were then used in follow-up attacks against the target organizations.

In yet another tactic, the group is compromising legitimate software to deliver malware to its targets. Once installed on a victim’s computer, such trojanized software allows attackers to gain remote access and install additional tools if needed.

Symantec warns that, unlike earlier campaigns, which appeared to be more exploratory in nature, the latest activity could potentially be providing attackers with access to operational systems with potentially disruptive consequences. What is clear, Symantec says, “is that Dragonfly is a highly experienced threat actor, capable of compromising numerous organizations, stealing information, and gaining access to key systems.”


Related articles:
New malware targets power grids, say researchers
Power grid ‘health’ monitoring needed for cybersecurity, say researchers
Radiation sensing systems have hackable security flaws, warns researcher
IoT devices becoming ‘cyberweapon of choice’ for attackers
Is your smart grid secured?


Linked Articles