The well-known dragonfly hacking group that has been in operation since at least 2011 has come back and remains interested in orienting the US and European companies in the energy sector.
Yes, I’m talking about ‘Dragonfly hacking group’, a group of hackers in Eastern Europe, of resources, responsible for sophisticated cyber-espionage campaigns against critical energy infrastructure companies in different countries over the last few years.
In 2014, we reported on the ability of dragonfly hacking group to mount sabotage operations against their targets, especially gas pipeline managers, power generation companies and other providers of industrial control equipment (ICS) systems for the industry energy.
Symantec computer security company researchers, who discovered the previous season, now experience a new campaign called Dragonfly 2.0, saying “The group now potentially has the ability to sabotage or gain control of these systems if they choose to “and has already gained unparalleled access to the Western energy companies’ operating systems.
The main strengths of the group’s activities described in the new Symantec report are:
- The hacking group is active since the end of 2015 and uses the same tactics and tools used in previous campaigns.
- The main purpose of the 2.0 Dragonfly hacking Group is to gather information and access the target organization’s networks, making the group able to perform sabotage operations if needed.
- Dragonfly hacking group 2.0 has focused on critical energy sectors in the United States, Turkey, and Switzerland.
- Like previous Libellula campaigns, hackers are using malicious email (with very specific content related to the energy sector), attacks water pests, and trojanizado software as an initial attack carrier to access a victim’s network.
- The group is using a toolkit named Phishery (available on GitHub) for email attacks receiving a template injection attack to steal victim credentials.
- Malware campaign involves several remote access Trojans masked by Flash updates called Backdoor.Goodor, Backdoor.Dorshel and Trojan.Karagany.B, which allows attackers to provide remote access to victim’s computer.
- However, Symantec researchers did not find any evidence of the Dragonfly 2.0 hacking group using zero-day vulnerabilities. Conversely, the hacker group strategically uses management tools available to the public PowerShell, PsExec, and bitsadmin, which makes the attribution difficult.
“Dragonfly hacking group Campaign 2.0 shows how aggressors may be entering a new phase with recent campaigns that potentially allow them to access operating systems, access could be more disruptive in future futures,” says Symantec.
Computer attacks on power grids are not something new. Energy companies in Ukraine attacked by hackers on two different occasions at the end of 2015 and the end of 2016, actually caused the power outage in several regions of Ukraine causing a black-out for tens of thousands of citizens around midnight.
In addition, nuclear facilities in the United States, including Nuclear Corporation Wolf Creek, have been attacked by a Russian group known in July this year, but fortunately, there is no evidence that hackers can access the operating system or not.