Energy providers hacked through malicious software updates

Symantec says the Dragonfly campaign, originating in Eastern Europe, sought to gain persistent access to energy suppliers

Eastern European-based attackers gained access to the networks of energy providers by tampering with software updates for industrial control systems, gaining a foothold that could be used for sabotage, Symantec said Monday.

The Dragonfly group, which appears to operate from Eastern Europe, compromised three ICS vendors, adding a piece of remote access malware to legitimate software updates, the security vendor wrote in a blog post Monday.

"Given the size of some of its targets, the group found a 'soft underbelly' by compromising their suppliers, which are invariably smaller, less protected companies," Symantec wrote.

The companies unwittingly installed the malware by downloading the software updates from the ICS vendors. Symantec did not identify the vendors, but said it had notified the victims and various computer emergency response centers.

Those affected were energy grid operators, electricity generators and petroleum pipeline operators, with the majority of them in the U.S., Spain, France, Italy, Germany, Turkey and Poland, Symantec wrote.

On Friday, an agency that is part of the U.S. Department of Homeland Security (DHS) issued an advisory on the attacks based on information it received from Symantec and the Finnish security company F-Secure.

The software updates from the three ICS vendors contained Havex, a remote access Trojan that can upload other malware to systems, according to the advisory, published by DHS's Industrial Control Systems Emergency Response Team (ICS-CERT).

Havex, which is also known as Backdoor.Oldrea or Energetic Bear, also gathers a variety of network system information and uploads it to command-and-control servers controlled by the attackers.

Symantec identified a product that provided VPN (virtual-private-network) access to PLC (programmable-logic-controller) devices from one ICS vendor that had been modified by Dragonfly.

The group also modified a driver contained within a software package from a European manufacturer of PLC devices. The modified software was available for download for at least six weeks between June and July 2013, Symantec wrote.

A third European company that develops software for managing wind turbines and bio-gas plants also hosted compromised software for 10 days in April 2014, the vendor wrote.

The Dragonfly group has been around since at least 2011. At that time, it targeted defense and aviation companies in the U.S. and Canada before shifting its attacks to energy companies in the same countries in early 2013, Symantec wrote.

It likened Dragonfly's campaign to that of Stuxnet, which was a stealthy malware attack believed to have been conceived by the U.S. and Israel that destroyed centrifuges used by Iran to refine uranium.

"While Stuxnet was narrowly targeted at the Iranian nuclear program and has sabotage as its primary goal, Dragonfly appears to have a much broader focus with espionage and persistent access as its current objective with sabotage as an optional capability if required."

Based on timestamps showing when the malware was compiled, it appears the attackers worked 9 a.m. to 6 p.m. Monday through Friday shifts in a time zone that places them in Eastern Europe, Symantec said.

Security analysts have said that such regular working patterns often indicate that a country may be sponsoring or sanctioning such attacks.

"Dragonfly bears the hallmarks of a state-sponsored operation, displaying a high degree of technical capability," Symantec wrote.

Tampering with software updates is perhaps the most clever of Dragonfly's attacks, but the group also used a variety of other methods to compromise individuals close to the companies they targeted.

Those methods included sending spam emails with malicious PDF attachments and so-called "watering hole" attacks, where spam emails with malicious links aim to lead people to websites that probe computers for software vulnerabilities.

Dragonfly employed two exploit kits, called "Lightsout" and "Hello," which are hacking platforms planted on legitimate websites that try to deliver malware to computers that visit the site, Symantec wrote.

Send news tips and comments to jeremy_kirk@idg.com. Follow me on Twitter: @jeremy_kirk

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

Tags malwaresymantecf-secureExploits / vulnerabilitiesICS-CERT

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Jeremy Kirk

IDG News Service
Show Comments

Brand Post

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Luke Hill

MSI GT75 TITAN

I need power and lots of it. As a Front End Web developer anything less just won’t cut it which is why the MSI GT75 is an outstanding laptop for me. It’s a sleek and futuristic looking, high quality, beast that has a touch of sci-fi flare about it.

Emily Tyson

MSI GE63 Raider

If you’re looking to invest in your next work horse laptop for work or home use, you can’t go wrong with the MSI GE63.

Laura Johnston

MSI GS65 Stealth Thin

If you can afford the price tag, it is well worth the money. It out performs any other laptop I have tried for gaming, and the transportable design and incredible display also make it ideal for work.

Andrew Teoh

Brother MFC-L9570CDW Multifunction Printer

Touch screen visibility and operation was great and easy to navigate. Each menu and sub-menu was in an understandable order and category

Louise Coady

Brother MFC-L9570CDW Multifunction Printer

The printer was convenient, produced clear and vibrant images and was very easy to use

Edwina Hargreaves

WD My Cloud Home

I would recommend this device for families and small businesses who want one safe place to store all their important digital content and a way to easily share it with friends, family, business partners, or customers.

Featured Content

Product Launch Showcase

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?