A new “wave of cyberattacks” could be poised to hit the energy sectors of the US, Turkey, and Switzerland, giving hackers the ability to “severely disrupt affected operations,” according to a new report from Symantec.
The report centers around a hacking group known as Dragonfly. The group has been operating off and on since 2011, the report said, but it has recently come back on the scene with new attacks starting in 2015. This time, the group is going after the energy sector.
“The Dragonfly group appears to be interested in both learning how energy facilities operate and also gaining access to operational systems themselves, to the extent that the group now potentially has the ability to sabotage or gain control of these systems should it decide to do so,” the report said.
Cyberattacks on infrastructure are growing in their impact, with a December 2015 attack taking out part of Ukraine’s power grid. The Symantec report also noted that attacks have been attempted on grids in other European countries, and on nuclear facilities in the US as well.
The latest string of attacks by Dragonfly also began in December 2015, the report said. Now, it seems that the first set of attacks were exploratory, and may have been setting the stage for more destructive attacks in the group’s current efforts.
“Sabotage attacks are typically preceded by an intelligence-gathering phase where attackers collect information about target networks and systems and acquire credentials that will be used in later campaigns,” the report said.
In the current attacks, Dragonfly is using malicious emails, watering hole attacks, and Trojanized software to gain access to the victim’s network, the report said. Three specific Trojans were also identified in the group’s efforts: Trojan.Heriplor (Oldrea stage II), Trojan.Karagany, and Trojan.Listrix (Karagany stage II).
The earliest attacks in this second string of exploits began with malicious emails. In December 2015, the report said, fake invitations to a New Year’s party and other emails targeting energy sector professionals contained malicious documents that would leak victims’ network credentials or allow the attackers to steal credentials through a template injection attack. Those credentials were then used for follow-up attacks in the future, the report said.
Many of the methods observed by Symantec seem to link the group to previous attacks that may have been carried out for the same reason. However, the report said, it is difficult to tell who is actually behind Dragonfly or where the group is based.
Since the attacks rely on credentials, Symantec recommends using proper password hygiene, utilizing two-factor authentication, and deleting unused credentials. The report also said it is a best practice to limit the number of admin profiles as well. Researchers also said users should employ multiple defense systems, enforce a strong security policy, understand the tools of the attackers, and educate their employees on avoiding phishing emails.
The 3 big takeaways for TechRepublic readers
- A hacking group known as Dragonfly seems to be targeting energy sector companies in the US, Turkey, and Switzerland, according to a Symantec report.
- In its attacks, the group is using malicious emails, watering hole attacks, and Trojanized software to gain access to victim networks and disrupt operations.
- Users should protect themselves by educating employees, using proper password techniques, limiting admin profiles, understanding hacking tools, and more, the report said.