Dragonfly Malware Targets ICS Systems

The age of malware specifically targeting industrial control systems (ICS) began in 2010 when Stuxnet was revealed to be disrupting operations at one of Iran’s nuclear enrichment facilities. Since that shock, we have seen advanced malware, such as Flame and Duqu, target energy companies for espionage purposes. We have also seen the unsophisticated, but highly effective, Shamoon malware massively infiltrate Saudi Aramco.

Today, I want to let you know about a new malware, coined as coming from the “Dragonfly hacking group” by Symantec. It indicates a modus operandi on the level of Stuxnet in terms of technical brilliance and strategic execution.

Aimed at energy companies, it has at least three different attack mechanisms, including taking over the software download sites at trusted ICS/SCADA suppliers. The download packages look legitimate (since they come from trusted suppliers), but when the unsuspecting user installs them on their control system, the malware comes to life.

What does this have to do with everyday ICS and SCADA security? It is yet another example of targeted attacks of organizations in the energy sector. If you are in the energy sector, or your business relies on it, you may need to factor this type of cyber threat into your security risk assessments.

Let’s take a look at Dragonfly in more detail and see what we can learn from it.

RATs (Remote Access Tools) are key components of the Dragonfly malware.

Is it a RAT, a Dragonfly or both?

On June 23, 2014, Finnish security firm F-Secure published a blog article on a new family of malware used in targeted attacks against industry sectors. This was shortly followed on June 30, when Symantec published a white paper and a blog article disclosing the Dragonfly threat to a broad audience1. Their documentation indicates that the threat results from two pieces of malware both of which are Remote Access Tools or RATs. (Don’t you love that acronym?)

The first one is primarily known as the Havex RAT, though it has also been referenced as Backdoor.Oldrea or the Energetic Bear RAT in various reports2. This malware extracts data from Outlook address books and ICS-related software files used for remote access from the infected computer to other industrial systems. Some of the variants specifically look for OPC servers.

A scary aspect of Havex is that many variants have been discovered (88) and more may be out there or continue to be released. This malware communicates information, such as the existence of devices on the local area network (LAN), back to a large number (146) of Command and Control (C&C) servers. This is known as “ICS sniffing” and could have the purpose of documenting networks for future attacks.

The other piece of malware is known as Kragany or Trojan. Kragany allows attackers to upload and download files from the infected computer and run executable files. It also has advanced features for collecting passwords, taking screenshots and cataloguing documents.

How Does the Malware Get into Industrial Automation Systems?

Proving again that there are multiple pathways to control systems, the Dragonfly malware was distributed using three attack vectors:

1. Email Campaign – Executives and senior employees were targeted with malicious PDF attachments in February-June 2013.

2. Watering Hole Attack – Websites likely to be visited by people working in the energy sector were infected such that they redirected the site visitor to another compromised legitimate website hosting an exploit kit. The exploit kit then installs the RAT. This method of distribution began in June 2013.

3. Software Downloaded From ICS-Related Vendors – At least three ICS vendors’ software downloads were hacked so that they included the RAT malware. This occurred in June-July 2013 and in January 2014. The companies were surprisingly not identified by US-CERT3 or Symantec, however a report released by Kaspersky Labs specifically names the vendors and affected products.

Belden’s Industrial Networking Products Are Not Affected

Based on our current knowledge of this threat, we are confident that no Belden products are at risk. We are also in the process of reviewing all possible sources of Belden software downloads to make sure that infected software is not in circulation.

The Dragonfly malware targeted energy companies, and did “ICS Sniffing.” This meant that it collected information on ICS/SCADA equipment and networks, presumably for future sabotage.

What Damage Did Dragonfly Do?

Dragonfly has not sabotaged any ICS systems to date, but the cyber espionage it has collected and the persistent access it has set up may lead to sabotage in the future.

“There has been no proof that any sabotage capabilities were used by the Dragonfly group to date, but capabilities may exist in the toolkits employed, representing possibly the scariest part of the story, as they could potentially open doors to dramatic scenarios.

“Was the stealing of industrial information from energy companies only the first step of a destructive cyberwarfare campaign?”

- Security Matters White Paper “Cyber espionage campaign hits energy companies”

The energy companies targeted are located in the U.S. and Western Europe and include electricity generation companies, electricity grid operators, petroleum pipeline operators, plus industrial system and equipment providers.

Who Created It?

It is believed that the Dragonfly group is based in Eastern Europe, and that it is possibly being directed by Russia with state sponsorship involved.

“Dragonfly bears the hallmarks of a state-sponsored operation, displaying a high degree of technical capability."

“The Dragonfly group is technically adept and able to think strategically. Given the size of some of its targets, the group found a “soft underbelly” by compromising their suppliers, which are invariably smaller, less protected companies.”

- Symantec, June 30, 2014 article

What Does Dragonfly Mean for Controls Engineers?

While Dragonfly has only been an information stealer to date, its targeting of data about ICS devices is worrying. Just take the case of Stuxnet, where it penetrated systems and collected data about them for years before it went on to disrupt centrifuge operations.

This is yet another example of sophisticated attacks on energy companies. The implication for industry overall is that now is the time to review and possibly enhance cyber defenses. Are you able to detect intrusions on a timely basis? Do you have Defense in Depth safeguards in place to protect against such attacks?

In my next article, I will discuss how to detect and block malware, such as Dragonfly, and how Belden’s products and services can help.

What are your thoughts on Dragonfly? Will its discovery impact your risk assessments? I look forward to hearing from you.

1The malware had been identified to security insiders on a U.S. government computer alert website on May 12, 2014, and had been monitored by at least one security company for up to a year prior to that.
2Havex / Dragonfly / Energetic Bear / and Backdoor.Oldrea all refer to the same family of malware.
3US-CERT is the United States Computer Readiness Team and is part of DHS' National Cybersecurity and Communications Integration Center (NCCIC).

Related Content to Download

Presentation - "ICS Security - What's happening and what are the challenges?"


In this presentation Eric Byres goes into detail about:

  • Both the bad news and the good news when it comes to current ICS Security
  • How the international standards for security in the ICS environment are maturing
  • Facts and figures on the security challenges the industry is facing

Related Links


Other Malware:

Add new comment