Hackers are targeting the energy sectors in Europe and North America, according to anti-virus software developer Symantec.
Symantec believes the culprit to be “Dragonfly 2.0,” an increasingly active campaign from a group (also known as Energetic Bear or Crouching Yeti) in operation since 2011 and building in intensity since at least December 2015, following a period of dormancy.
“Symantec has strong indications of attacker activity in organizations in the U.S., Turkey and Switzerland, with traces of activity in organizations outside of these countries,” said a company news release.
The Dragonfly cyber espionage group uses a variety of techniques, including malicious emails, watering hole attacks and Trojanized software. “The emails contained very specific content related to the energy sector, as well as some related to general business concerns,” Symantec said. “Once opened, the attached malicious document would attempt to leak victims’ network credentials to a server outside of the targeted organization.”
Watering hole attacks have been collecting the credentials of energy sector users by compromising websites they frequent. “In one instance, after a victim visited one of the compromised servers, Backdoor.Goodor was installed on their machine via PowerShell 11 days later. Backdoor.Goodor provides the attackers with remote access to the victim’s machine.”
Victims have also been struck by malware masquerading as Windows updates.
According to the company’s blog, which will be updated with threat detection and prevention practices as needed, “Symantec also has evidence to suggest that files masquerading as Flash updates may be used to install malicious backdoors onto target networks — perhaps by using social engineering to convince a victim they needed to download an update for their Flash player. Shortly after visiting specific URLs, a file named “install_flash_player.exe” was seen on victim computers, followed shortly by the Trojan.Karagany.B backdoor.”
Symantec noted that the energy sector has been a favorite target for hackers over the last couple of years, including massive disruptions of Ukraine’s electrical system in 2015 and 2016.
“The Dragonfly group appears to be interested in both learning how energy facilities operate and also gaining access to operational systems themselves, to the extent that the group now potentially has the ability to sabotage or gain control of these systems should it decide to do so.”