Dragonfly’s comeback: Scary energy sector attack campaign

Majority of malware and hacker attacks target money, information and stolen identities. A scary campaign appears to be underway against our power providers.   By 'our' I mean the US.  Additionally, Switzerland and Turkey have been targeted for attack.

The Dragonfly campaign in 2011 gathered information on power grids and its providers. It also even included US Nuclear Power facilities. Dragonfly used a Russian code string. An attack attribute that points to Russian actors. While this attribution is hard to nail down, several security analysts have put the blame on Russian organizations.

The goal of the campaign was to gather intelligence to sabotage power grids. The specific target information is employee credentials. These credentials will allow remote access control to the provider's systems.

The methods used were phishing emails with industry-specific messaging and event invites.  Other methods included trojanized malware and watering hole websites.

Watering hole websites are sites that are always used by employees of the victim company. Threat actors infect the sites with malware. The malicious payload is then delivered to the victim's browser, and ultimately, their system.

After a few years of silence, Dragonfly is back.  The current campaign employs many of the same tactics including the same Trojans.  This time, the Phishery toolkit is the template injection attack.  The goal is still the same - steal credentials to gain control of victim computers. 

According to analysts, credentials are not the only targets. Exfiltrated data included screen capture files. Other identified attributes were machine description, locations and organization names. Attempt to access operating systems seemed successful.

The use of watering hole and web drive-by attacks is alarming. Companies need strong Internet gateway security, endpoint security, and organizational security training. These are bold attackers, with possible nation-state affiliations.  These kinds of attackers are patient and practice "low and slow" methods of data extraction.  Employees of targeted organizations don't need to see symptoms to assume that they are under attack.  Vigilance is required from all organization who have critical data, or in this case- critical infrastructure.

For more than 20 years, ContentKeeper has delivered comprehensive, accessible web security solutions for global enterprises, educational institutions and government agencies. We enable our customers to protect their networks, users and data from cyber threats while embracing mobile technology, Internet of Things (IoT) and cloud-based services. 

About the author: Paul Hafen is an 18-year veteran in the Cybersecurity field.  He’s co-founder of a security firm and has worked with hundreds of organizations on security projects. A blogger with an emphasis on malware and data loss topics, he researches and reports on the latest vulnerabilities and attacks for ContentKeeper.


*Photo Credit: NASA Earth Observatory