When news first broke in June 2014 about the Dragonfly malware campaign, reports indicated that the targets were energy utility facilities. However, further research into the malware revealed that it is primarily focused on the pharmaceutical industry. The implication of this news is that discrete manufacturers, not just the critical infrastructure industries, need to seriously factor advanced attacks into their industrial control system (ICS) risk assessments.
Reports about the Dragonfly malware indicate that multiple pieces of malware have been detected and some of them are Remote Access Tools (RATs). One of these is known as the Havex RAT, which has also been referenced as Backdoor.Oldrea or the Energetic Bear RAT. This malware extracts data from Outlook address books and ICS-related software files used for remote access from the infected computer to other industrial systems. Some of the variants specifically look for OPC servers.
Another malware component is known as Karagany. This malware allows attackers to upload and download files from the infected computer and run executable files. It also has advanced features for collecting passwords, taking screenshots and cataloguing documents.
A scary aspect of the Havex RAT is that many variants have been discovered—88 so far and more may be out there. This malware communicates information, such as the existence of devices on the local area network (LAN), back to nearly 150 Command and Control servers. This type of attack is known as "ICS sniffing" and could be used to document networks for future industrial espionage campaigns or operational sabotage attacks.
Thus far, Dragonfly has not sabotaged any ICS systems, but the cyber espionage it has collected and the persistent access it has set up may lead to sabotage in the future.
Eric Byres, CTO of Tofino Security and Belden’s industrial cyber security expert, said, “The interesting thing about Dragonfly is that it targeted ICS information not for the purpose of causing downtime, but for the purpose of intellectual property theft, likely for the purpose of counterfeiting. CIOs and other executives need to know about this attack and be assured that there are techniques and products available to defend against it.”
Protecting Your Systems
The first step in protecting your automation systems against the Dragonfly family of malware is to understand how it enters an industrial automation system. Three attack vectors have been identified:
- Spear Phishing Email. Executives and senior employees were targeted with malicious PDF attachments in the February-June 2013 timeframe.
- Watering Hole Attack. Websites likely to be visited by people working in the energy sector were infected, causing the site visitor to be redirected to a compromised, but legitimate website that was used to host the exploit kit. The exploit kit installs the RAT. This method of distribution began in June 2013.
- Trojanized Software Downloads. Three ICS vendors’ software downloads were hacked so that they included the RAT malware. The companies are eWON, MB Connect Line and Mesa Imaging. These hacks occurred in June-July 2013 and in January 2014. All three companies offer products and services most commonly used by the pharmaceutical industry.
While Dragonfly has been an information stealer to date, its targeting of data about ICS devices is worrying. Consider Stuxnet, where it penetrated systems and collected data about them for years before it went on to disrupt centrifuge operations. Whether the end goal is the theft of proprietary information or to cause downtime, the costs to the victims are high.
"Security researchers and hackers have identified numerous vulnerabilities in the products used in industrial operations,” said Byres. “Post Dragonfly, it is important that manufacturing companies secure core ICS through up-to-date best practice policies and industrially focused security technologies. We know now that Stuxnet remained hidden in target networks for years; by the time worms like this do damage or steal trade secrets, it is too late to defend against them.”
Dragonfly White Paper Series
Based on our current knowledge of this threat, we are confident that no Belden products are at risk and that no Belden software downloads have been infected.
To help industry stay on top of this threat, we are creating a four-part series of white papers titled "Defending Against the Dragonfly Cyber Security Attacks". The four parts are:
Parts A and B are available now. For information on the availability of the other parts, visit "Defending Against the Dragonfly Cyber Security Attacks".