Analyst's note: Dragonfly appears to have broad target focus with espionage and persistent access as its current objective with sabotage as an optional capability if required. Those affected were energy grid operators, electricity generators and petroleum pipeline operators, with the majority of them in the U.S., Spain, France, Italy, Germany, Turkey and Poland, Symantec wrote. Unearthed by the cyber security firm Symantec, Dragonfly has been in operation since at least 2011. Its malware software allows its operators to not only monitor in real time, but also disrupt and even sabotage wind turbines, gas pipelines and power plants -- all with the click of a computer mouse. For various reasons, Dragonfly is believed to be a state-sponsored operation.
******
WASHINGTON – U.S. and European energy companies have become the target of a “Dragonfly” virus out of Eastern Europe that goes after energy grids, major electricity generation firms, petroleum pipelines operators and energy industrial equipment providers.
Unearthed by the cyber security firm Symantec, Dragonfly has been in operation since at least 2011. Its malware software allows its operators to not only monitor in real time, but also disrupt and even sabotage wind turbines, gas pipelines and power plants – all with the click of a computer mouse.
The attacks have disrupted industrial control system equipment providers by installing the malware during downloaded updates for computers running the ICS equipment.
According to Symantec, more than a thousand organizations in 84 countries were affected over an 18-month period.
Most of the targets were in the United States, Spain, France, Italy, Germany Turkey and Poland – all countries belonging to the North Atlantic Treaty Organization.
This has led some analysts to suggest the attacks were orchestrated by Russia, which seeks to build buffers between the Russian Federation and the NATO countries.
Given the time of day of the computer attacks – during work hours – and the targeting of strategic data, analysts believe the attacks were sanctioned by a government.
The attacks apparently are ongoing, as companies in the energy sector continue to sustain damage and disruptions to energy supplies in the most affected countries.
The Dragonfly group is said to have at its disposal a range of malware tools to disrupt computer systems, especially industrial control systems. Sources believe it operates similar to the Stuxnet malware that the United States and Israel had used against Iran’s nuclear program to disrupt the operation of its centrifuges that enrich uranium.
According to Symantec, Dragonfly used two main malware tools – Backdoor Oldrea and Trojan Karagany. The former appears to be customized malware written for the attackers.
Eric Chien of Symantec’s Security Technology and Response Team told Bloomberg in an interview the type of access Dragonfly has indicates something more than snooping.
“When they do have that type of access, that motivation wouldn’t be for espionage,” Chien said. “When we look at where they’re at, we’re very concerned about sabotage.”
“The worst-case scenario would be that the systems get shut down,” Chien said. “You could see the power go out, for example, and there could be disruption in that sense.”
Along these lines, the Federal Bureau of Investigation has uncovered “Ugly Gorilla,” a Chinese hacker who has been targeting utility companies’ systems to cut off heat and damage pipelines. The hacker is said to be working for the Chinese People’s Liberation Army. The hacker was indicted by a U.S. grand jury in May for economic espionage.
As for the Dragonfly hackers, they remained one step ahead of those seeking software packages that would fix their problem. They compromised a number of legitimate software packages that ICS equipment providers would seek to remedy the problem. The malware was inserted into these software remedies they had on their websites, making any downloads compromised before they could be used and, once implemented, compounded the cyber problems of industrial control systems.
Now that it has uncovered these software tools meant to attack industrial control systems, Synmantec has developed antivirus detection software for Backdoor Oldrea and Trojan Karagany.
******
Here is one view of the situation from an unknown source found here
"U.S. and European energy companies have become the target of a "Dragonfly" virus out of Eastern Europe that goes after energy grids, major electricity generation firms, petroleum pipelines operators and energy industrial equipment providers.
Unearthed by the cyber security firm Symantec, Dragonfly has been in operation since at least 2011. Its malware software allows its operators to not only monitor in real time, but also disrupt and even sabotage wind turbines, gas pipelines and power plants -- all with the click of a computer mouse.
The attacks have disrupted industrial control system equipment providers by installing the malware during downloaded updates for computers running the ICS equipment."
******
Energy providers hacked through malicious software updates
Symantec says the Dragonfly campaign, originating in Eastern Europe, sought to gain persistent access to energy suppliers
Eastern European-based attackers gained access to the networks of energy providers by tampering with software updates for industrial control systems, gaining a foothold that could be used for sabotage, Symantec said Monday.
The Dragonfly group, which appears to operate from Eastern Europe, compromised three ICS vendors, adding a piece of remote access malware to legitimate software updates, the security vendor wrote in a blog post Monday.
[ Security expert Roger A. Grimes offers a guided tour of the latest threats and explains what you can do to stop them in InfoWorld's Malware Deep Dive Report. | Learn how to secure your systems with InfoWorld's Security Central newsletter. ]
"Given the size of some of its targets, the group found a 'soft underbelly' by compromising their suppliers, which are invariably smaller, less protected companies," Symantec wrote.
The companies unwittingly installed the malware by downloading the software updates from the ICS vendors. Symantec did not identify the vendors, but said it had notified the victims and various computer emergency response centers.
Those affected were energy grid operators, electricity generators and petroleum pipeline operators, with the majority of them in the U.S., Spain, France, Italy, Germany, Turkey and Poland, Symantec wrote.
On Friday, an agency that is part of the U.S. Department of Homeland Security (DHS) issued an advisory on the attacks based on information it received from Symantec and the Finnish security company F-Secure.
The software updates from the three ICS vendors contained Havex, a remote access Trojan that can upload other malware to systems, according to the advisory, published by DHS's Industrial Control Systems Emergency Response Team (ICS-CERT).
Havex, which is also known as Backdoor.Oldrea or Energetic Bear, also gathers a variety of network system information and uploads it to command-and-control servers controlled by the attackers.
Symantec identified a product that provided VPN (virtual-private-network) access to PLC (programmable-logic-controller) devices from one ICS vendor that had been modified by Dragonfly.
The group also modified a driver contained within a software package from a European manufacturer of PLC devices. The modified software was available for download for at least six weeks between June and July 2013, Symantec wrote.
A third European company that develops software for managing wind turbines and bio-gas plants also hosted compromised software for 10 days in April 2014, the vendor wrote.
The Dragonfly group has been around since at least 2011. At that time, it targeted defense and aviation companies in the U.S. and Canada before shifting its attacks to energy companies in the same countries in early 2013, Symantec wrote.
It likened Dragonfly's campaign to that of Stuxnet, which was a stealthy malware attack believed to have been conceived by the U.S. and Israel that destroyed centrifuges used by Iran to refine uranium.
"While Stuxnet was narrowly targeted at the Iranian nuclear program and has sabotage as its primary goal, Dragonfly appears to have a much broader focus with espionage and persistent access as its current objective with sabotage as an optional capability if required."
Based on timestamps showing when the malware was compiled, it appears the attackers worked 9 a.m. to 6 p.m. Monday through Friday shifts in a time zone that places them in Eastern Europe, Symantec said.
Security analysts have said that such regular working patterns often indicate that a country may be sponsoring or sanctioning such attacks.
"Dragonfly bears the hallmarks of a state-sponsored operation, displaying a high degree of technical capability," Symantec wrote.
Tampering with software updates is perhaps the most clever of Dragonfly's attacks, but the group also used a variety of other methods to compromise individuals close to the companies they targeted.
Those methods included sending spam emails with malicious PDF attachments and so-called "watering hole" attacks, where spam emails with malicious links aim to lead people to websites that probe computers for software vulnerabilities.
Dragonfly employed two exploit kits, called "Lightsout" and "Hello," which are hacking platforms planted on legitimate websites that try to deliver malware to computers that visit the site, Symantec wrote.
