State-Sponsored Hacking Group Dragonfly Attacks Thousands of US and EU Energy Firms

Data from thousands of energy companies in the United States and Europe have been compromised in an on-going cyber espionage campaign being carried out by an Eastern European hacker group called Dragonfly.

According to a report by digital security firm Symantec, companies predominantly belonging to the energy sector were spied upon by Dragonfly during a campaign which Energy supplies could be affected in countries hit by the espionage operation.

The Symantec report provides a list of countries thought to have been the target of Dragonfly's latest cyber espionage campaign.

The list includes various electricity generation companies, petroleum suppliers and industrial energy equipment providers across the United States, France, Italy, Germany, Spain, Poland and Turkey.

While a number of other countries are also said to have been hit by Dragonfly's latest digital espionage operations but no UK-based companies are mentioned in the report.

State-sponsored

Symantec said the primary goal of the campaign was espionage and in its report Symantec said that it "bears the hallmarks of a state-sponsored operation, displaying a high degree of technical capability."

Dragonfly used a range of malware mechanisms, utilising multiple attack vectors allowing them infect various parts of victims' systems.

Initially the group used malware attached to phishing emails sent to employees of the energy companies before adding what are known as "watering hole attacks." These attacks see websites which are likely to be visited by employees of energy companies compromised by the criminals and whenever someone visits these websites, malware is downloaded onto their computer.

The final method employed by Dragonfly was the most sophisticated and saw the "Trojanising of legitimate software bundles" belonging to three different industrial control systems (ICS) equipment manufacturers.

It meant that when employees downloaded what they thought we valid software updates, they were also downloading the malware which gave the criminals remote access to their computers, allowing them to monitor and record everything which was happening on the system.

Energetic Bear

While Symantec says that the energy sector is the largest target in these attacks, Russian security firm Kaspersky Labs has also been investigating the malware campaign and it believes that victims appear in a wider range of enterprises than previously thought.

"The largest amount of the victims Kaspersky Lab identified fall into the industrial/machinery building sector, indicating this is of special interest. Among other victims were research universities, pharmaceutical and construction companies, mechanical and information technologies, and a variety of other technical providers," Costin Raiu from Kaspersky Lab said.

"Overall, we observed about 2,000 unique victims worldwide with the most popular attack tool being the Havex trojan. Most of them are located in the US, followed by Spain, Japan, Italy, Germany and France," Raiu added.

The Dragonfly gang (also known as Energetic Bear) is thought to have been operating actively from 2011. The criminal group earlier carried out cyber-attacks on companies in the aviation and defence sectors, predominantly in Canada and the US, according to Symantec.

Oldrea and Karagany

The gang used two main types of malware during its attack. The first is known as Oldrea (also known as Havex or the Energetic Bear RAT) which appears to have been a custom-made piece of malware likely written by the gang itself. It allows the criminals remote access to a system to extract information and even install further malware.

The second piece of malware used by the gang is known as Karagany which is a piece of malware which is widely available on underground forums, but Symantec believes that Dragonfly may have modified the source code for this malware for its own purposes.

Karagany is capable of uploading stolen data, downloading new files, and running executable files on an infected computer, Symantec says.

Dragonfly has been found to be operating actively from 2011. The hacker group earlier targeted cyber hacking campaigns on various companies belonging to the aviation and defence sectors predominantly in Canada and the US.