New research from Symantec has uncovered a highly adept attack group, dubbed "Dragonfly", which has been in operation since 2011.
Symantec confirmed that Dragonfly is behind several sophisticated attacks on industrial control systems in the energy sector in the US and Europe.
According to Symantec's recent Internet Security Threat Report, the industry with the greatest risk of being targeted for attack is mining (1 in 2.7), which includes oil, gas and other companies in the energy sector being targeted by this group.
In a blog post, Symantec says the attackers, known to Symantec as Dragonfly, managed to compromise a number of strategically important organisations for spying purposes and, if they had used the sabotage capabilities open to them, could have caused damage or disruption to energy supplies in affected countries.
Among the targets of Dragonfly were energy grid operators, major electricity generation firms, petroleum pipeline operators, and energy industry industrial equipment providers. The majority of the victims were located in the US, Spain, France, Italy, Germany, Turkey, and Poland.
According to Symantec, the Dragonfly group is well-resourced, with a range of malware tools at its disposal and is capable of launching attacks through a number of different vectors.
The security software vendor reveals that Dragonfly's most ambitious attack campaign saw it compromise a number of industrial control system (ICS) equipment providers, infecting their software with a remote access-type Trojan.
This caused companies to install the malware when downloading software updates for computers running ICS equipment. These infections not only gave the attackers a beachhead in the targeted organisations' networks, but also gave them the means to mount sabotage operations against infected ICS computers.
Symantec notes that this campaign follows in the footsteps of Stuxnet, which was the first known major malware campaign to target ICS systems. While Stuxnet was narrowly targeted at the Iranian nuclear programme and had sabotage as its primary goal, Dragonfly appears to have a much broader focus with espionage and persistent access as its current objective with sabotage as an optional capability if required.
In addition to compromising ICS software, Dragonfly has used spam e-mail campaigns and watering hole attacks to infect targeted organisations, says Symantec, adding that the group has used two main malware tools: Backdoor.Oldrea and Trojan.Karagany. The former appears to be a custom piece of malware, either written by or for the attackers, it reveals.
Share