Recently, a Russian group of hackers known as ‘Energetic Bear‘ has compromised over 1,000 European and North American energy firms with a sophisticated cyber weapon, similar to Stuxnet, that gave hackers access to power plant control systems, said a security firm.
The group of hackers also known as ‘Dragonfly‘, an eastern European collective that has been active since at least 2011 and has been using phishing sites and Trojans to target energy supplier organizations in the US and several other countries, since 2013.
“Its primary goal appears to be espionage,” claimed Symantec. The group appears to have the resources, size and organization that no doubt suggest the involvement of government in the malware campaign, said the firm.
According to the blog post published yesterday by security firm Symantec, Dragonfly group mainly targeted petroleum pipeline operators, electricity generation firms and other Industrial Control Systems (ICS) equipment providers for the energy sector in several companies.
Since 2013, Dragonfly has been targeting organizations that make use of Industrial Control Systems (ICS) to manage electrical, water, oil, gas and data systems, which affected almost 84 countries in a campaign spanning 18 months, although most of the victims were located in the United States, Spain, France, Italy, Germany, Turkey, and Poland.“Dragonfly initially targeted defense and aviation companies in the US and Canada before shifting its focus mainly to US and European energy firms in early 2013,” reads the blog post. “Dragonfly bears the hallmarks of a state-sponsored operation, displaying a high degree of technical capability.”
Dragonfly used different techniques to infect industrial software with Remote Access Trojan (RAT) in order to access computer systems, including attaching malware to emails, websites and third-party programs, giving it “the capability to mount sabotage operations that could have disrupted energy supplies across a number of European countries“.“The attackers, known to Symantec as Dragonfly, managed to compromise a number of strategically important organizations for spying purposes,” Symantec said in a blog post. “If they had used the sabotage capabilities open to them, (they) could have caused damage or disruption to energy supplies in affected countries.”
Dragonfly used two hacking outfit, the first one is Backdoor.Oldrea which is used to gather system information, including the computers’ Outlook address book and a list of files and programs installed, and the second one is Trojan.Karagany which is used to upload stolen data, download new files and run them on infected computers, the firm said.
The Oldrea backdoor is also known as Havex . In short, both Oldrea and Karagany malware families allow cyber criminals to gain backdoor access of the infected systems, as well as to exfiltrate confidential data and, download and install additional malware to the systems.
The first powerful malware of this family is the famous Stuxnet Worm, which made international headlines in 2010 and was designed to sabotage the Iranian nuclear project. It specifically targeted a uranium enrichment facility to make the centrifuges spin out of control and cause physical damage to the plant in Natanz, Iran and successfully disabled 1,000 centrifuges that the Iranians were using to enrich uranium.