Full Report
Symantec has published a report on new cyberattacks targeting the energy sector in Europe and North America.
Analysis Summary
# Incident Report: Dragonfly 2.0 Campaigns Targeting Western Energy Sectors
## Executive Summary
A sophisticated cyber-espionage campaign, attributed to the "Dragonfly" (or Energetic Bear) group, targeted energy sector organizations across Europe and North America to gain strategic access to operational systems. The attackers utilized a multi-stage approach involving spear-phishing and "watering hole" attacks to harvest credentials and install backdoors. This campaign resulted in the compromise of several power grid operators, potentially providing the threat actors with the capability to disrupt energy supplies.
## Incident Details
- **Discovery Date:** Early 2017 (Specific report published September 6, 2017)
- **Incident Date:** Late 2015 – 2017 (Increased activity observed starting 2017)
- **Affected Organization:** Multiple undisclosed entities including power grid operators and generation facilities.
- **Sector:** Energy (Oil, Gas, and Electricity)
- **Geography:** USA, Switzerland, Turkey, and various European nations.
## Timeline of Events
### Initial Access
- **Date/Time:** Commencing late 2015, accelerating in 2017.
- **Vector:** Spear-phishing, Watering Hole attacks, and Trojanized software.
- **Details:** Attackers sent energy-themed emails (e.g., "New Year’s Eve Party") with malicious attachments or links. They also compromised industry-specific websites to redirect users to malicious servers.
### Lateral Movement
- Once inside, the attackers used valid credentials stolen via SMB credential harvesting to move across the network. They utilized native Windows tools (Living off the Land) to minimize their footprint.
### Data Exfiltration/Impact
- The primary impact was the theft of technical documentation, network maps, and credentials from ICS (Industrial Control Systems) environments. Screen captures were taken of HMI (Human Machine Interface) consoles, indicating the reconnaissance of operational controls.
### Detection & Response
- **How it was discovered:** Symantec identified a spike in activity involving known Dragonfly toolsets (Dorsshel and Karagany).
- **Response actions taken:** Victim notification by security researchers and government agencies; revocation of compromised credentials; removal of backdoors.
## Attack Methodology
- **Initial Access:** Spear-phishing emails and "Watering Hole" compromises of industry websites.
- **Persistence:** Installation of the "Karagany" trojan and custom backdoors via scheduled tasks.
- **Privilege Escalation:** Use of Mimikatz and similar tools to extract administrator passwords.
- **Defense Evasion:** Use of legitimate "living off the land" tools (PowerShell, PsExec) and clearing system logs.
- **Credential Access:** SMB credential harvesting (forcing authentication to remote servers) and memory scraping.
- **Discovery:** Scanning for industrial equipment and internal network mapping using built-in commands.
- **Lateral Movement:** Utilizing stolen credentials via RDP (Remote Desktop Protocol) and PsExec.
- **Collection:** Automated screen captures of ICS control panels and file staging.
- **Exfiltration:** Data sent via encrypted channels to various C2 (Command and Control) servers.
- **Impact:** Strategic positioning for potential sabotage; loss of intellectual property and network integrity.
## Impact Assessment
- **Financial:** Significant costs associated with forensic investigations and network remediation.
- **Data Breach:** Compromise of proprietary technical diagrams and employee credentials.
- **Operational:** High potential for disruption; though no blackouts were reported during this phase, attackers demonstrated the ability to manipulate switches.
- **Reputational:** Undermined public confidence in critical infrastructure security.
## Indicators of Compromise
- **Network indicators:**
- Connections to [hxxp]://ttest.co[.]nz/ (C2)
- Connections to [hxxp]://31.184.198[.]23/ (C2)
- **File indicators:**
- Karagany Trojan (various hashes)
- Dorsshel Backdoor (various hashes)
- **Behavioral indicators:**
- Unexpected SMB requests to external IPs.
- Multiple failed login attempts followed by a successful login from an unusual workstation.
## Response Actions
- **Containment:** Disabling compromised accounts and isolating infected machines from the local network.
- **Eradication:** Removing malicious services and scheduled tasks associated with Karagany/Dorsshel.
- **Recovery:** Restoring systems from clean backups and implementing mandatory password resets across the organization.
## Lessons Learned
- **Visibility is Key:** Organizations lacked sufficient visibility into the transition points between IT and OT (Operational Technology) networks.
- **Credential Hygiene:** Relying solely on passwords allowed the attackers to move laterally with ease.
- **Third-Party Risk:** The use of "watering holes" on industry sites showed that even trusted resources can be vectors.
## Recommendations
- Implement Multi-Factor Authentication (MFA) for all remote access and administrative accounts.
- Deploy SMB signing and block outbound SMB (Port 445) at the network perimeter.
- Segment IT and OT networks strictly, using "jump boxes" or data diodes.
- Monitor for the use of unauthorized administrative tools (e.g., PsExec) within the environment.