ICS Information Security Assurance Framework 7

ICS Information Security Assurance Framework 7

January 23, 2020 | Mina Hao

2.2.2 Dragonfly 2.0 Malware

The Dragonfly organization, also known as Energetic Bear, mainly carries out cyber espionage activities targeting electric power operators, major power generation enterprises, petroleum pipeline operators, and industrial equipment providers in the energy sector. According to a Joint Analysis Report (JAR) released by the Department of Homeland Security (DHS), Dragonfly is a Russian APT entity sponsored by the Russian government.

The information publicly availably reveals that Dragonfly, a hacker organization with a wide range of attack capabilities, can access the target network with stolen credentials of victim hosts and also provide an extensive customized hacking toolset to launch attacks against the target network. From the viewpoint of the evolution from Dragonfly 1.0 to Dragonfly 2.0, this hacker organization is taking more and more countermeasures (such as HTTPS-encrypted communication, real-time download and execution of encrypted shellcode, pre-initialized code hijacking,
and template injection) and beginning to use legitimate system management tools like PowerShell, PsExec, and Bitsadmin to launch attacks. To some extent, this makes it more difficult to discover threats.

Though the hacker organization has never exploited 0-day vulnerabilities for attacks, it is an organization carrying out highly targeted attacks as it has been collecting intelligence from the energy sector for a long time. Looking at its attack cases, we can see that this organization is motivated by political reasons.

Symantec indicates that it has been tracking this organization from 2011 and has revealed the association between this organization and cyberattacks launched against western enterprises in 2014.

The following lists attacks initiated by this organization:

In 2011, it targeted the defense and aviation companies of the USA and Canada.

In a second phase in early 2013, Dragonfly focused its effort on US and European energy firms.

In 2014, it targeted organizations in the USA, Italy, France, Spain, Germany, Turkey, and Poland.

After the report went public in 2014, the Dragonfly group went dark and appeared again in December 2015 when it launched cyber-attacks on Turkish energy companies that were also targeted during 2016.

After being dormant for several years, this organization has become active again recently. Researchers find that Dragonfly has hit energy companies in the USA and Europe (Turkey and Switzerland), aimed at taking control of and even compromising energy facilities.

Like Dragonfly 1.0, Dragonfly 2.0 uses more than one attack method (malicious email, watering-hole attack, and legitimate software binding) to penetrate into the target and plant malicious code. For Dragonfly 1.0, activities were conducted for reconnaissance, while those by Dragonfly 2.0 are carried out for destructive purposes. Here show what policies are adopted by the hacker.

The attacker employs widely available malware and “living off the land” tools such as administration tools like PowerShell, PsExec, and Bitsadmin.

Dragonfly 2.0 adopts all sorts of attack means, from spear phishing emails to watering-hole attacks. In the first attacks spotted by Symantec in December 2015, hackers used spear phishing messages disguised as an invitation to a New Year’s Eve party.

From 2016 to 2017, the attacker usually used spear phishing emails to target the energy sector.

Symantec found that phishing emails were crafted with the Phishery toolkit, attempting to steal victims’credentials through a template injection attack. Also, the attackers resorted to watering-hole attacks to target websites that were likely to be visited by personnel in the energy sector, so as to obtain network credentials. Symantec reported that in at least one case, the watering hole attack was used to deliver the Goodor backdoor via PowerShell 11 days later.

Here, we only give a general introduction to this malware and its organization. For more details about this malware, please see related analysis reports.

To be continued.