Upload
others
View
6
Download
0
Embed Size (px)
Citation preview
Dragonfly: Western Energy Companies Under Sabotage Threat 1
Dragonfly: Energy Companies Under Sabotage Threat
Symantec Security Response
What is Dragonfly?
• Ongoing cyberespionage campaign
• Targeting the energy sector in Europe and US
• Stealing information
• Capable of sabotage
Dragonfly: Western Energy Companies Under Sabotage Threat 2
Targets
• Electricity infrastructure
• Electricity generation
• Industrial equipment providers
• Petroleum pipeline operators
Dragonfly: Western Energy Companies Under Sabotage Threat 3
Target Locations
Dragonfly: Western Energy Companies Under Sabotage Threat 4
The Dragonfly group
• In operation since at least 2011
• Initially targeted defense and aviation companies in the US and Canada
• Shifted focus to US and European energy firms in early 2013
• Priorities appear to be:
– Persistent access to targets
– Information stealing
– Sabotage
• Has the hallmarks of state sponsored operation
• Appear to be operating in the UTC +4 time zone
Dragonfly: Western Energy Companies Under Sabotage Threat 5
Dragonfly employs three attack vectors
• Spam emails
• Watering hole attacks
• Compromising third party software
Dragonfly: Western Energy Companies Under Sabotage Threat 6
Spam campaign
• Generic spam emails sent to senior employees and engineers
• Began in February 2013 and continued into June 2013
• Emails bore one of two subject lines: “The account” or “Settlement of delivery problem”.
• Email disguised malware as PDF attachment
Dragonfly: Western Energy Companies Under Sabotage Threat 7
Watering hole attacks
• Group compromised legitimate websites related to energy sector
• Began in May 2013 and continued into April 2014
• Attacks redirected website visitors to other compromised legitimate websites hosting Lightsout Exploit Kit
• These sites dropped malware on to the victim’s computer.
Dragonfly: Western Energy Companies Under Sabotage Threat 8
Compromising third party software
• Three ICS equipment providers targeted
• Malware inserted into the software bundles they had made available for download on their websites
• Victims inadvertently downloaded “Trojanized” software when applying software updates
• By targeting suppliers, attackers found “soft underbelly” that provided a path into bigger companies
Dragonfly: Western Energy Companies Under Sabotage Threat 9
Timeline of recent attacks
Dragonfly: Western Energy Companies Under Sabotage Threat 10
1 January, 2013 31 August, 2014
Feb 13 Mar 13 Apr 13 May 13 Jun 13 Jul 13 Aug 13 Sep 13 Oct 13 Nov 13 Dec 13 Jan 14 Feb 14 Mar 14 Apr 14 May 14 Jun 14 Jul 14 Aug 14
September 1, 2013
DF group start using Hello EK (Lightsout v2)
February 11, 2013 - June 19, 2013
Spam campaign
May 13 - Apr 14
Watering-hole AttackMultiple energy related web sites
compromised redirecting users to LOEK
January 20, 2014 - January 30, 2014
Company B compromised and software trojanized250 unique downloads
June 2013 - July 2013
Company A Compromised and software trojanized
16 Apr, 2014 - 30 Apr, 2014
Company C compromised Software Trojanized
Tools: Backdoor.Oldrea
• Remote access tool (RAT) type malware
• Custom malware, either written by the group itself or created for it
• Favoured tool: used in majority of attacks
• Acts as back door for attackers allowing them to extract data and install further malware
• Also known as Havex
Dragonfly: Western Energy Companies Under Sabotage Threat 11
Tools: Trojan.Karagany
• Was available on the underground market.
• Source code leaked in 2010
• Dragonfly appear to have modified it for its own use
• Capable of uploading stolen data, downloading new files and running executable files
• Can run plugins, for collecting passwords, taking screenshots, and cataloging documents on infected computers.
Dragonfly: Western Energy Companies Under Sabotage Threat 12
Protection
• Symantec customers are protected from malware variants mentioned in this report. Detections are made by Symantec products using antivirus, Insight and behavioral technologies such as SONAR
• Symantec customers are protected from any attack using the exploits mentioned in this report when using Symantec products containing network threat protection/IPS technologies
• Details on Symantec’s protection technologies can be found here: http://www.symantec.com/page.jsp?id=star
Dragonfly: Western Energy Companies Under Sabotage Threat 13
Summary
• Dragonfly is an ongoing threat
• Currently targeting energy sector in Europe and US
• Other sectors not immune, may be used as stepping stone
• Attacker capabilities
– persistent access to networks
– Information stealing
– Sabotage
• Well resourced with a range of technical capabilities
• Likely to be state-sponsored
Presentation Identifier Goes Here 14
More Resources
Blog http://www.symantec.com/connect/symantec-blogs/sr
Twitter http://twitter.com/threatintel
Whitepapers http://www.symantec.com/security_response/whitepapers.jsp
Dragonfly: Western Energy Companies Under Sabotage Threat 15
Thank you!
Copyright © 2012 Symantec Corporation. All rights reserved. Symantec and the Symantec Logo are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners. This document is provided for informational purposes only and is not intended as advertising. All warranties relating to the information in this document, either express or implied, are disclaimed to the maximum extent allowed by law. The information in this document is subject to change without notice.
Dragonfly: Western Energy Companies Under Sabotage Threat 16