As people around the world reflect on this past year and look forward to the next, it is important to learn from past mistakes so as to not repeat them.
Six years ago, Dragonfly 2.0, the espionage group, began its nefarious activities aimed at energy industries with an email campaign. Emails disguised as invitations to a New Year’s Eve party were sent to targets in the energy sector.
In the following couple of years, the Dragonfly group continued to send out malicious emails that at times elicited detailed information related to the energy sector, along with general business concerns. The emails were only one part of their strategy though.
What is Dragonfly 2.0
The original Dragonfly group started in at least 2011 and targeted defense and aviation companies. In 2013, their focus turned to the energy sector and suppliers of industrial control systems. In 2015, the Dragonfly 2.0 group emerged, using some of the same tactics as the old group.
The Heriplor and Karagany Trojans were used in both Dragonfly campaigns. Trojan.Heriplor is a backdoor that appears to be exclusively used by Dragonfly and a strong indicator that the group that targeted the western energy sector between 2011 and 2014 is the same group behind these later attacks.
How Dragonfly 2.0 attacks
In a joint Technical Alert, the Department of Homeland Security (DHS) and FBI characterized this activity as a multi-stage intrusion campaign by Russian government cyber actors. They targeted small commercial facilities’ networks, where they sent malware, spear phished and gained remote access into energy sector networks. Then, the group worked on network reconnaissance, moved laterally and collected industrial control systems data.
There were five stages: Reconnaissance, weaponization, delivery, exploitation and installation. Email messages evolved from using a generic contract agreement subject line to including references to common industrial control equipment.
Once the malicious emails are opened, the document leaks the victims’ network credentials. Later, experts found that this group was using the Phishery toolkit to take credentials through a template injection attack. The Dragonfly group also started using so-called watering hole attacks to obtain more network credentials, which they did by compromising websites that energy sectors were tied to.
They had staging targets and actual targets, which meant that they first targeted organizations that held preexisting relationships with the actual intended targets. This part of the strategy starts with stage one but continues throughout the whole process.
Dragonfly 2.0 had some success accessing workstations and servers that had data output from energy generation facilities’ control systems. Since these attacks, cybersecurity experts have released vulnerability mitigation against this specific group’s tactics and give advice on how to respond to these kinds of situations.
Cybersecurity companies are aware of the ever-growing number of threat actor groups that pop up every day. Due to previous severe attacks this year, such as the Colonial Pipeline and JBS, both the private and public sectors are working together to create better standard practices. While there are numerous threats that have yet to be seen, experts are working on making changes that will make critical infrastructure safer and less vulnerable.
The energy sector became a main target for many threat groups years ago, including, for example, the attack on the Ukraine power grid in 2015. However, experts noted that most of the Dragonfly activity was uncovered in organizations in the U.S., Turkey and Switzerland, according to a Security Affairs article.
The energy sector continues to be an area of cyber-criminal focus. As the Dragonfly New Year’s Eve emails in 2015 illustrate, this may be especially true around the holidays. So, as everyone moves closer to the new year, keep your loved ones close, learn from the past (and stay away from any suspicious emails).