US CERT urges critical infrastructure firms to hunt for Dragonfly hackers

Dragonfly hackers return

The US Industrial Control Systems Computer Emergency Response Team (ICS-CERT) has urged critical infrastructure firms to check their networks for signs of intrusion after another cyber attack tool was uncovered.

The warning follows the discovery of a fresh wave of attacks codenamed Dragonfly, also known as Energetic Bear, run by a hacker and said to be capable of doing Stuxnet-level damage.

The attacks were uncovered by Symantec and are particularly dangerous as they could theoretically cause physical damage to industrial control systems (ICS) and sabotage power plants – like the 2011 Stuxnet virus caught targeting Iranian nuclear systems.

In response ICS-CERT issued guidance urging firms involved in critical infrastructure to check for and report any signs of intrusion on the network.

“ICS-CERT strongly recommends that organisations check their network logs for activity associated with this campaign. Any organisation experiencing activity related to this report should preserve available evidence for forensic analysis and future law enforcement purposes,” read the alert.

“ICS-CERT requests that any company that identifies activity related to this report, please notify ICS-CERT immediately for tracking and correlation.”

ICS-CERT recommended critical infrastructure companies also pre-emptively bolster their cyber security, even if they do not find evidence they have been targeted.

The recommendations included key steps such as enforcing strict access control lists and authentication protocols for network level access to Object Linking and Embedding (OPC) clients and servers, making sure systems’ patch levels are up to date, maintaining up to date antivirus signatures and minimising network exposure for all control system devices where possible.

The Dragonfly campaign was originally uncovered by researchers at security firm CrowdStrike in January. The original attacks were espionage focused and targeted businesses operating in the US, Japan, Poland, Greece, Romania, Spain, France, Turkey, China and Germany.

The first attacks used a combination of two malware tools. The first Oldrea malware tool sets up a back door onto the victim machine that lets hackers extract data and install more malware.

The second Karagany is an off-the-shelf malware, the source code of which was leaked in 2010. Karagany lets the attackers upload stolen data, download new files, and run executable files on an infected computer.

Symantec reported that the group has expanded its operations to target victims with a watering hole attack leveraging the LightsOut exploit kit when it uncovered the new campaign on Monday.

“The attackers then shifted their focus to watering hole attacks, comprising a number of energy-related websites and injecting an iframe into each, which redirected visitors to another compromised legitimate website hosting the LightsOut exploit kit,” explained the researchers.

“LightsOut exploits either Java or Internet Explorer in order to drop Oldrea or Karagany on the victim’s computer. The fact that the attackers compromised multiple legitimate websites for each stage of the operation is further evidence that the group has strong technical capabilities.”

The security researchers said the sophisticated nature and timing of the attacks indicates that they are being mounted by a state-sponsored Eastern European group.

State-sponsored hack campaigns are a growing problem facing governments and businesses of all sizes. The UK GCHQ pledged to begin sharing attack data with businesses to help combat the threat in June.

If the article suppose to have a video or a photo gallery and it does not appear on your screen, please Click Here


Leave a Reply

Your email address will not be published.