Hacker group Dragonfly 2.0 just breached U.S. and European energy companies, gaining operational access to power grids. This recent infiltration allows hackers to “flip the switch” at power companies, stopping electricity flow to homes and business in the U.S.
Through its investigation, Symantec uncovered over 20 cases where hackers accessed targeted power company networks — an attack Symantec is linking to the Dragonfly campaigns between 2011 and 2014.
It Started with Phishing
Symantec traces the origin of the attack as far back as 2015 when the Dragonfly 2.0 group sent malicious New Year’s Eve party invitations to utility company staff. Other methods used by the group include spearphishing, watering-hole attacks and Trojanized software.
Difficult for many employees to spot, phishing emails are commonly used by hackers to harvest user credentials and later, malware installation. Phishing emails sent from the group were highly sophisticated and targeted. Email content was energy-sector focused, and sometimes included company-specific business topics.
Stolen Credentials: The Keys to the Castle
Once staff opened malicious emails from Dragonfly 2.0, the group installed malware to gain remote access to computers. Once inside, hackers explored the networks in an attempt to identify machines with access to critical operating systems. Screen captures of the machines were taken by the hackers and labeled with machine descriptions, server locations and organization names.
What Dragonfly 2.0 intends to do with the harvested credentials and access to operational controls remains to be seen.
Who is Dragonfly 2.0?
Much is unknown about the hackers behind Dragonfly and their motivations. Here is what investigators understand so far:
- Intelligence gathered over its multiyear attacks shows Dragonfly has deep understanding of energy facility operations; its recent access to operational controls shows it may now command them
- Dragonfly hacker activity appears to be concentrated in the U.S., Turkey and Switzerland
- The U.S. and Turkey have been key hacker targets
- The group uses mainly open-source hacking tools and common utilities, such as PowerShell and Phishery, perhaps to delay attribution
- Trojans used in the attack include Trojan.Karagany, Trojan.Listrix (Karagany stage II), Backdoor.Oldrea and Trojan.Heriplor (Oldrea stage II)
- Code used in the hacks includes a variety of languages (Russian, French), potentially as “false flags”
Combating the Threat With Workforce Education
According to the latest Verizon Data Breach Investigations Report, phishing plays a role in over 90% of security incidents. That same study found that of the 7.3% of employees who click on phishing email links and attachments, 15% take the bait a second time.
Unfortunately, many teams outside of the IT department never receive training on how to spot — and prevent — phishing attempts. SecurityIQ by InfoSec Institute can prepare diverse teams for security threats by increasing security awareness.
SecurityIQ clients can choose from over 100 templates in our PhishSim library (including Dragonfly templates!), or easily create customized emails to mimic phishing attacks commonly seen in their industries. We recommend pairing phishing simulations with lessons from our AwareEd modules, an approach that’s allowed our clients to drop phish rates to as low as 1%.
Dragonfly: Western energy sector targeted by sophisticated attack group, Symantec