How Dragonfly Hackers and RAT Malware Threaten ICS Security

Today, I want to let you know about a new malware, coined as coming from the "Dragonfly hacking group" by Symantec. It indicates a modus operandi on the level of Stuxnet in terms of technical brilliance and strategic execution. It is also the first of the advanced attacks post-Stuxnet to have payloads that target ICS components.

Given the importance of that finding, Belden commissioned Joel Langill of RedHat Cyber, a leading independent ICS security expert, to research Dragonfly in more depth. The objective was to understand the Dragonfly campaign in order to provide the best possible advice to customers for defending against advanced malware threats.

Originally thought to be aimed at the energy sector, we announced today that Joel's research indicates the target is actually the pharmaceutical industry. What does this have to do with everyday ICS and SCADA security? The implication is that now discrete manufacturers, not just the critical infrastructure industries, need to factor advanced attacks into their risk assessments.

Letis take a look at Dragonfly in more detail and see what we can learn from it.

RATs (Remote Access Tools) are key components of the Dragonfly malware.Image Credits: The Quinton Report and The Dragonfly Woman

Is it a RAT, a Dragonfly or both?

On June 23, 2014, Finnish security firm F-Secure published a blog article on a new family of malware used in targeted attacks against industry sectors. This was shortly followed on June 30, when Symantec published a white paper and a blog article disclosing the Dragonfly threat to a broad audience1. Their documentation indicates that the threat results from two pieces of malware, both of which are Remote Access Tools or RATs. (Don’t you love that acronym?)

The first one is primarily known as the Havex RAT, though it has also been referenced as Backdoor.Oldrea or the Energetic Bear RAT in various reports2. This malware extracts data from Outlook address books and ICS-related software files used for remote access from the infected computer to other industrial systems. Some of the variants specifically look for OPC servers.

A scary aspect of Havex is that many variants have been discovered (88) and more may be out there or continue to be released. This malware communicates information, such as the existence of devices on the local area network (LAN), back to a large number (146) of Command and Control (C&C) servers. This is known as "ICS sniffing" and could have the purpose of documenting networks for future industrial espionage campaigns or operational sabotage attacks.

The other piece of malware is known as Kragany or Trojan. Kragany allows attackers to upload and download files from the infected computer and run executable files. It also has advanced features for collecting passwords, taking screenshots and cataloguing documents.

How Does the Maleware Get into Industrial Automation Systems?

Proving again that there are multiple pathways to control systems, the Dragonfly malware was distributed using three attack vectors:

1. Email Campaign – Executives and senior employees were targeted with malicious PDF attachments February-June 2013.
   
   
2. Watering Hole Attack - Websites likely to be visited by people working in the energy sector were infected such that they redirected the site visitor to another compromised legitimate website hosting an exploit kit. The exploit kit then installs the RAT. This method of distribution began in June 2013.
   
   
3. Software Downloaded From ICS-Related Vendors – Three ICS vendors’ software downloads were hacked so that they included the RAT malware. The companies are eWON , MB Connect Line and Mesa Imaging and the hacks occurred in June-July 2013 and in January 2014. All three companies offer products and services most commonly used by the pharmaceutical industry.
   
   

Belden's Industrial Networking Products Are Not Affected

Based on our current knowledge of this threat, we are confident that no Belden products are at risk and that no Belden software downloads have been infected.

The Dragonfly malware targeted pharmaceutical companies via suppliers of handling, packaging and automation systems.

What Damage Did Dragonfly Do?

Dragonfly has not sabotaged any ICS systems to date, but the cyber espionage it has collected and the persistent access it has set up may lead to sabotage in the future.

In today's press release, Eric Byres, CTO of Tofino Security and Belden’s cyber security experts, commented:

 "The interesting thing about Dragonfly is that it targeted ICS information not for the purpose of causing downtime, but for the purpose of intellectual property theft, likely for the purpose of counterfeiting. CIOs and other executives need to know about this attack and be assured that there are techniques and products available to defend against it."

Who Created It?

It is believed that the Dragonfly group is based in Eastern Europe.

"The Dragonfly group is technically adept and able to think strategically. Given the size of some of its targets, the group found a “soft underbelly” by compromising their suppliers, which are invariably smaller, less protected companies." - Symantec,  June 30, 2014 article

What Does Dragonfly Mean for Controls Engineers?

While Dragonfly has been an information stealer to date, its targeting of data about ICS devices is worrying. Just take the case of Stuxnet, where it penetrated systems and collected data about them for years before it went on to disrupt centrifuge operations. Whether the end goal is the theft of proprietary information or to cause downtime, the costs to the victims are high.

Here is Eric's conclusion about Dragonfly:

"Security researchers and hackers have identified numerous vulnerabilities in the products used in industrial operations. Post Dragonfly, it is important that manufacturing companies secure core ICS through up-to-date best practice policies and industrially focused security technologies."

"We know now that Stuxnet and Flame remained hidden in their target networks for years – by the time worms like these do damage or steal trade secrets, it is too late to defend against them."

Belden's Dragonfly White Paper Series

Today, we released part one of a four-part series of white papers titled "Defending Against the Dragonfly Cyber Security Attacks Part A – Identifying the Targets."

The four parts are:

Part A – Identifying the Targets

Part B – Analyzing the Malware
Part C – Assessing the Consequences
Part D – Defending Industrial Control Systems

Each part is being released separately in order to make the information available to the public as quickly as possible.

Once you download any part of this series:

• You will receive email notification when the other parts are available.
• Each part released will be appended to earlier sections.
• With the release of Part D, the complete white paper series will be available as one integrated report.

What are your thoughts on Dragonfly? Will its discovery impact your risk assessments? I look forward to hearing from you.

Editor's Note: This is a significant update to the article first published on Aug. 13, 2014. New research, announced by Belden today, shows that the target of the Dragonfly malware campaign is the pharmaceutical industry, not the energy industry as we first reported.

1. The malware had been identified to security insiders on a U.S. government computer alert website on May 12, 2014, and had been monitored by at least one security company for up to a year prior to that.
2. Havex / Dragonfly / Energetic Bear / and Backdoor.Oldrea all refer to the same family of malware.
3. US-CERT is the United States Computer Readiness Team and is part of DHS' National Cybersecurity and Communications Integration Center (NCCIC).