430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|Apple Fixes WebKit Flaws in iOS and macOS, With Help From AI Tools|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|Apple Fixes WebKit Flaws in iOS and macOS, With Help From AI Tools|
Advertisement

Ad Placeholder

Full Width × 90

Cyber Crime

Dragonfly gang is targeting Western energy industry

Security experts at Symantec have detected a new series of attacks worldwide conducted by the Dragonfly gang on SCADA/ICS in critical infrastructure. The energy industry is under attack, more than one thousand companies in Europe and North America are constantly under attack. ICS/SCADA systems are privileged targets of state-sponsored hackers and cyber criminals, last week I wrote […]

greyenergy

Security experts at Symantec have detected a new series of attacks worldwide conducted by the Dragonfly gang on SCADA/ICS in critical infrastructure.

The energy industry is under attack, more than one thousand companies in Europe and North America are constantly under attack.

ICS/SCADA systems are privileged targets of state-sponsored hackers and cyber criminals, last week I wrote of the discovery made by security experts from F-Secure which detected a variant of Havex targeting critical infrastructure.

The attackers conducted watering-hole attacks compromising ICS vendor website, the SCADA vendors targeted by the Havex campaign are based in Germany, Switzerland and Belgium, two of them are suppliers of remote management software for ICS systems and the third one develops high-precision industrial cameras and related software.

Security experts at Symantec discovered a new campaign targeting organization located in the US, Italy, France, Spain, Germany, Turkey, and Poland, the researcher dubbed the bad actors behind the attacks the “Dragonfly” gang.

Dragonfly attacks

The Dragonfly group, also known by other vendors as Energetic Bear, seems to be operating since at least 2011 when it targeted defense and aviation companies in the US and Canada.  Only in a second phase Dragonfly has focused its effort on US and European energy firms in early 2013.

Symantec has immediately informed the victims and national authorities, including Computer Emergency Response Centers (CERTs).

“The attackers, known to Symantec as Dragonfly, managed to compromise a number of strategically important organizations for spying purposes and, if they had used the sabotage capabilities open to them, could have caused damage or disruption to energy supplies in affected countries.” states a blog post from Symantec.

Dragonfly gang hit energy grid operators, major electricity generation firms, petroleum pipeline operators, and energy industry industrial equipment providers with cyber espionage campaign.

The gang could count on different attack vectors, including watering hole attacks, spear-phishing emails and trojanized ICS software updates like the case of Havex RAT.

According to Symantec, the Dragonfly gang is well resourced, it can count on numerous malicious tools to conduct its campaign, the two main malware tools used by attackers are the Backdoor.Oldrea and the Trojan.Karagany

“Its most ambitious attack campaign saw it compromise a number of industrial control system (ICS) equipment providers, infecting their software with a remote access-type Trojan. This caused companies to install the malware when downloading software updates for computers running ICS equipment. These infections not only gave the attackers a beachhead in the targeted organizations’ networks, but also gave them the means to mount sabotage operations against infected ICS computers.” states Symantec.

Differently from the popular Stuxnet virus which was primarily designed for sabotage purpose, the malware used by Dragonfly gangs were designed to allow espionage and persistent access to the targeted systems.

Also in this case the attackers are mainly interested to data exfiltration from targeted industrial systems, the motivation for such attacks is still unclear, but the Symantec team suspects that behind Dragonfly there are state sponsored hackers.

I fear that these cases represent only the tip of the iceberg, many attacks to date have not yet been identified, while the number of attacks is likely to increase.

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(Security Affairs –  SCADA,  Dragonfly)

[adrotate banner=”5″]

[adrotate banner=”13″]