Symantec Dragonfly 2.0 Report Details Targeting of Energy Sector

On Wednesday, Symantec released a report detailing the targeting of North American and European energy sector entities by a hacking group known as Dragonfly and Energetic Bear, an Advanced Persistent Threat (APT) actor that is believed to act on behalf of, or supported by, Russian Intelligence Services. This latest operation, dubbed “Dragonfly 2.0,” has been ongoing since at least December 2015 with a noteworthy increase in activity in the first half of 2017. According to Symantec, the group has successfully exploited several energy companies in the United States, collecting sensitive network and system data, acquiring legitimate credentials, and gaining access to the target’s operational network, in some cases taking screen captures of files and human machine interfaces (HMIs). When successful, these activities could provide the threat actors with information necessary to prepare for disruptive or destructive attacks against US infrastructure in the future. The group gained access to these networks through various infection vectors, including phishing emails, watering hole attacks, and trojanized software. The phishing emails varied from broad targeting—emails that included an attachment of a supposed invitation to a New Year’s Eve party—to tailored emails related to the energy sector. All emails received by targets contained malicious attachments meant to obtain the user’s network credentials. Some of these email-based exploits used a toolkit called “Phishery,” activity previously reported by Cisco in July, in which the threat actors attempt to steal credentials via template injection attacks. The group also harvested network credentials via watering hole attacks, compromising websites often visited by those in the energy sector. The stolen credentials were used in subsequent attacks against the target organizations, including the installation of trojans for remote access to the victim’s system. Additionally, files disguised as Adobe Flash updates may have been used to install malicious backdoors onto the targeted network. Some backdoors installed on these systems include Goodor, Karagany.B, Dorshel, and HeriplorThe NJCCIC recommends all organizations within the energy sector, as well as other critical infrastructure asset owners and operators, review Symantec’s Dragonfly 2.0 report, scan for the indicators of compromise (IoCs) provided, and apply the best practices detailed in the report, including implementing adefense-in-depth strategy and strong password policy. Additionally, refer to the NJCCIC's ICS Threat Profile for a comprehensive set of recommendations and resources for securing critical infrastructure networks.