A cyberespionage attack, identified by Symantec as Dragonfly, has targeted energy grid operators, major electricity generation firms, petroleum pipeline operators, and energy industry industrial equipment providers located primarily in the United States, Spain, France, Italy, Germany, Turkey, and Poland.  According to Symantec, the attackers used the malware only to spy on system operations, but could have used the remote-access functionality to cause serious damage if they had decided to. With infections reaching 1,018 organizations across 84 countries, ranging from grid operators to gas pipelines, the scope of the damage would have been considerable.

Symantec reports that the Dragonfly group is well resourced and is capable of launching attacks through a number of different vectors. Dragonfly bears the hallmarks of a state-sponsored operation, displaying a high degree of technical capability. The group is able to mount attacks through multiple vectors and compromise numerous third party websites in the process. Dragonfly has targeted multiple organizations in the energy sector over a long period of time. Its current main motive appears to be cyberespionage, with potential for sabotage a definite secondary capability.

Analysis of the compilation timestamps on the malware used by the attackers indicate that the group mostly worked between Monday and Friday, with activity mainly concentrated in a nine-hour period that corresponded to a 9am to 6pm working day in the UTC +4 time zone. Based on this information, it is likely the attackers are based in Eastern Europe.

The Dragonfly group has used at least three infection tactics against targets in the energy sector.

• The earliest method was an email campaign, which saw selected executives and senior employees in target companies receive emails containing a malicious PDF attachment. Infected emails had one of two subject lines: “The account” or “Settlement of delivery problem”. All of the emails were from a single Gmail address. The spam campaign began in February 2013 and continued into June 2013. Symantec identified seven different organizations targeted in this campaign. The number of emails sent to each organization ranged from one to 84.
• The next method involved watering hole attacks, comprising a number of energy-related websites and injecting an iframe into each which redirected visitors to another compromised legitimate website hosting the Lightsout exploit kit. Lightsout exploits either Java or Internet Explorer in order to drop Oldrea or Karagany on the victim’s computer. The fact that the attackers compromised multiple legitimate websites for each stage of the operation is further evidence that the group has strong technical capabilities.
• The most ambitious attack vector used by Dragonfly was the compromise of a number of legitimate software packages. Three different ICS equipment providers were targeted and malware was inserted into the software bundles they had made available for download on their websites. All three companies made equipment that is used in a number of industrial sectors, including energy.

The Dragonfly group is technically adept and able to think strategically. Given the size of some of its targets, the group found a “soft underbelly” by compromising their suppliers, which are invariably smaller, less protected companies.

To counter this type of threat it has been recommended that utilities should be spending 15-20% of their IT budget on cybersecurity.

NRECA Cooperative Research Network (CRA) has prepared a guide on implementing a cybersecurity system for electric power utilities with a U.S. Department of Energy (DoE) grant.