Dragonfly: Energy companies under threat of sabotage

Dragonfly: A continuing cyber attack against a range of different targets, particularly in the energy sector, has allowed attackers to carry out sabotage operations against their victims. Attackers, known to Symantec as a Dragonfly, managed to attack a number of strategically important organizations for espionage purposes and, if they had used the sabotaging capabilities available to them, could have caused damage and power supply problems in the countries affected.   


Among its objectives Dragonfly were energy service providers, large electricity generating companies, oil supply companies and industrial energy equipment providers. The majority of victims came from the USA, Spain, France, Italy, Germany, Turkey and Poland.

The team Dragonfly it has many resources, with a set of tools malware in her hands and is able to carry out attacks through a number of different vectors. The most ambitious attack he made was on equipment suppliers of industrial control systems (ICS), attacking their software with one Trojan remote access. That's how the companies installed it malware during the procedure downloading of software updates for computers that have equipment ICS. These violations not only gave the attackers a head start on companies' networks but also gave them the means to conduct sabotage actions on the infringed ICS computers.

This campaign comes after him Stuxnet, which was the first known major attack malware in systems ICS. While the Stuxnet the Iranian nuclear program and the sabotage was its main purpose, the Dragonfly seems to have a much wider range of spying and persistent access to being the primary purpose and sabotage to be just an optional option if requested.    

In addition to the violation ICS software, the Dragonfly has used it spam email campaigns and watering hole type attacks to offensive targeting businesses. The team used mainly two tools malware: the Backdoor.Oldrea and the Trojan.Karagany. The first seems to be a niche malware, either written by or for the attackers. 

Before disclosure, the Symantec alerted the victims and the relevant national authorities, such as the Computer Emergency Response Centers (CERTs) who handle and respond to Internet security incidents.


The team Dragonfly, which is also known by other suppliers under the name Energetic Bear, operates at least from 2011 and may be active for much longer. The group initially targeted defense and aviation companies in the US and Canada before turning its attention to energy companies in the US and Europe at the beginning of 2013.

The attack on the energy sector in the US and Europe has expanded very quickly. The team initially started sending malware via phishing email to the staff of these companies. Later, the team added attacks watering hole on the broken websites that were likely to be visited by those involved in the energy sector so that they can redirect them to websites that host exploit kit. It exploit kit in turn, spread malware on the computers of the victims. The third phase of the attack was Trojanizing legitimate software that belonged to three different manufacturers ICS equipment.   

The Dragonfly brings the milestone of an activity supported by the state, showing a high level of technical skill. The team is able to make attacks through multiple vectors and infringing numerous third-party websites in the process. The Dragonfly has been targeting many companies in the energy sector over a long period of time. The main motive seems to be cyber targeting, with sabotage aspirations at a secondary level.

The analysis of compilation timestampson malware which was used by the attackers shows that the group was mainly active between Monday and Friday, focusing mainly on a period of nine hours ranging from 9 to 6 from a working day in the time zone UTC + 4. Based on this information, it is likely that the attackers will be based in Eastern Europe.  

The tools used

The Dragonfly uses two main parts of it malware in his attacks. Both are remote access tools (RAT) malware, which provide attackers with access to and control of infringing systems. The favorite tool malware of Dragonfly is Backdoor.Oldrea, which is also known as Havex or as Energetic Bear RAT. It Oldrea works as back door for attackers to access victims' computers, allowing them to export data and install additional malware.

That Oldrea appears as custom malware, either created by the group itself or created by a third party for the needs of the group. This provides some clues to the capabilities and resources behind the group Dragonfly.

Dragonfly 1

1 Chart. The top 10 countries with active infections (where attackers stole information from compromised systems)

Once installed on the victim 's computer, the Oldrea collects system information, along with file lists, installed programs, and available guides. It also extracts data from its addresses Outlook the computer and the files VPN. This data is aggregated into one temporary file to one encrypted format before they are sent to a remote one command-and-control (C&C) server controlled by the attackers.

The majority of C&C servers appear to be hosted in violations server, who run content management systems, indicating that attackers may have used the same means to gain control over each server. It oldrea has a basic control panel that allows it authenticated user to download a compressed version of stolen data for each victim separately.

The second main tool that uses the Dragonfly is Trojan.Karagany. In contrast with Oldrea the Karagany was available in the illegal market. The source code for 1's version Karagany leaked 2010. OR Symantec considers that Dragonfly took this code and modified it for its own use. This version was detected by Symantec as a Trojan.Karagany!gene1.

The Karagany is capable of doing upload stolen files to do download for free new files and performs executable files on an infected computer. It is also capable of performing in addition Plugin, such as code capture, downloading tools screenshot, and to categorize files in infringing systems.

Η Symantec found that the majority of computers infringed by the attackers were infected with Oldrea. It Karagany was used only at 5% of infections. Those two malware are similar in functionality and what motivates the attacker to choose one against the other remains unknown.

Multiple vectors attacks

The team Dragonfly has used at least 3 tactics to contaminate its targets in the energy sector. The most recent method was one email spam campaign, which was sent to selected executives of the target companies email which included a malicious one PDF attached file. Thecontaminatedemail it hadOne fromtheirtwotitles: "The account" or "Settlement of delivery problem".All email came from one address gmail.

The campaign spam started in February of 2013 and continued until June of 2013. OR Symantec found 7 different organizations targeting this campaign. The number of email received by each organization ranged from one to 84.

Attackers have changed their focus on press attacks watering hole, violating a series of energy-related web pages and installing one iframe to each of them, which he did redirect visitors to another infected legal website  who hosted it Lightsout exploit kit. It Lightsout exploits them Java and Internet Explorer with the aim of installing them Oldrea ή Karagany on the victim's computer. The fact that the attackers violated a range of legitimate websites for each stage of this activity shows that the team has strong technical capabilities.

In September of 2013, the Dragonfly began using a new version of it exploit kit, known as Hello exploit kit. The page of this kit includes javascript which gets fingerprints of the system, locating installed ones browser plugins. The victim is redirected to URL, which in turn decides what is the best means of collecting the required information.

Trojanized software

The most ambitious attack instrument used by the Dragonfly was the violation of a series of legitimate software packages. Three different suppliers ICS equipment was violated and the malware was incorporated into the software that was available for download for free from the respective websites. All three companies built equipment used in industrial sectors, including energy.

The first Trojanized software that was detected was a product it provides VPN access to programming and control devices (PLC). The vendor discovered the attack almost immediately after the violation but has already been 250 downloads of the infringing software.

The second company that was violated was a European specialist maker PLC devices. In this case, a software that contains one driver for one of the company's devices violated. OR Symantec considers that Trojanized software was available for use for at least 6 weeks in June and July of 2013.

The third attacking company was a European company that developed systems that run wind turbines, biogas plants, and other energy infrastructure. OR Symantec estimates that infringing software may have been available for 10 days in April 2014.

The team Dragonfly is technically experienced and capable of strategic thinking. Thinking about the size of some of its goals, the group found a "soft underbelly"Violating their suppliers, which are generally smaller and less protected.


Η Symantec has discovered the following, which will help customers protect themselves from it malware who use these attacks:

Antivirus detections

Intrusion Prevention Signatures

For more technical information, read it whitepaper on http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/Dragonfly_Threat_Against_Western_Energy_Suppliers.pdf.

Registration in iGuRu.gr via Email

Enter your email to subscribe to the email notification service for new posts.

Read them Technology News from all over the world, with the validity of iGuRu.gr

Follow us on Google News iGuRu.gr at Google news