Symantec has noticed a brand new wave of cyber assaults in opposition to companies within the power sector powered by the infamous Dragonfly group.
The Dragonfly group, additionally recognized as Energetic Bear, has been energetic since no less than 2011 when it focused protection and aviation firms within the US and Canada. Solely in a second part Dragonfly has targeted its effort on US and European power companies in early 2013.
In 2014, safety consultants at Symantec uncovered a brand new marketing campaign focusing on organizations situated within the US, Italy, France, Spain, Germany, Turkey, and Poland.
Dragonfly gang performed a cyber espionage marketing campaign in opposition to power grid operators, main electrical energy technology companies, petroleum pipeline operators, and power trade industrial tools suppliers.
In keeping with the JAR report revealed by the US Division of Homeland Safety, Dragonfly was Russian APT actor linked to the Authorities.
The notorious group remained underneath the radar since December 2015, however now the researchers identified Dragonfly focused power firms in Europe and the US.
This time the attackers aimed to manage and even sabotage operational programs at power amenities.
“The Dragonfly group seems to be all in favour of each studying how power amenities function and likewise getting access to operational programs themselves, to the extent that the group now doubtlessly has the flexibility to sabotage or acquire management of those programs ought to it resolve to take action,” reads the report revealed by Symantec.
In keeping with Symantec, the Dragonfly 2.zero marketing campaign begun in late 2015, risk actors used identical TTPs of earlier campaigns.
“The power sector in Europe and North America is being focused by a brand new wave of cyber assaults that would present attackers with the means to severely disrupt affected operations. The group behind these assaults is named Dragonfly.” reads the evaluation revealed by Symantec.”The group has been in operation since no less than 2011 however has re-emerged over the previous two years from a quiet interval following publicity by Symantec and quite a lot of different researchers in 2014. This “Dragonfly 2.zero” marketing campaign, which seems to have begun in late 2015, shares techniques and instruments utilized in earlier campaigns by the group.”
Researchers found many similarities between earlier Dragonfly campaigns and up to date assaults.
The power sector has develop into a privileged goal for state-sponsored hackers during the last two years, let’s assume for instance of energy outages precipitated in Ukraine in 2015 and 2016 that have been attributed to Russian APT teams.
Symantec believes the group could be very superior, it operates to make exhausting the attribution of the assaults. Beneath among the techniques employed by the hackers:
- The attackers used extra typically accessible malware and “dwelling off the land” instruments, equivalent to administration instruments like PowerShell, PsExec, and Bitsadmin, which can be a part of a technique to make attribution tougher. The Phishery toolkit grew to become accessible on Github in 2016, and a instrument utilized by the group—Screenutil—additionally seems to make use of some code from CodeProject.
- The attackers additionally didn’t use any zero days. As with the group’s use of publicly accessible instruments, this could possibly be an try and intentionally thwart attribution, or it may point out a scarcity of assets.
- Some code strings within the malware have been in Russian. Nonetheless, some have been additionally in French, which signifies that certainly one of these languages could also be a false flag.
The consultants observed most attacker exercise in organizations within the US, Turkey, and Switzerland.
Phishing emails noticed by Symantec have been created with the Phishery toolkit within the try and steal victims’ credentials through a template injection assault.
The attackers additionally used watering gap assaults to reap community credentials, they focused web sites prone to be visited by personnel concerned within the power sector.
Symantec reported that no less than in a single case, the watering gap assault was used to ship the Goodor backdoor through PowerShell 11 days later.
“Symantec additionally has proof to counsel that recordsdata masquerading as Flash updates could also be used to put in malicious backdoors onto goal networks—maybe through the use of social engineering to persuade a sufferer they wanted to obtain an replace for his or her Flash participant. Shortly after visiting particular URLs, a file named “install_flash_player.exe” was seen on sufferer computer systems, adopted shortly by the Trojan.Karagany.B backdoor.” continues the evaluation.
Whereas the primary Dragonfly campaigns seem to have been a extra reconnaissance part, the Dragonfly 2.zero marketing campaign appears to have damaging functions.