'Dragonfly' Malware Highlights Vulnerability of Energy Infrastructure

With an explosion in the number of “smart” Internet-connected devices, it seems hardly a week goes by when we're not reminded of the vulnerability of individuals, organizations and even entire societies to malware, online spying and cyber attacks.

In a whitepaper released June 30, Symantec Security Response reports on an ongoing, sophisticated, very possibly state-sponsored “cyber espionage campaign dubbed Dragonfly (aka Energetic Bear)” that managed to infiltrate information systems of “energy grid operators, major electricity generation firms, petroleum pipeline operators and energy industry industrial control system (ICS) equipment manufacturers.”

The majority of the victims were located in the U.S., Spain, France, Italy, Germany, Turkey and Poland, according to a post on Symantec's Managed Security Services Blog. As CNNMoney journalist Jose Pagliery noted in a July 2 news report, it seems the Cold War didn't end with the 1989 fall of the Berlin Wall, it just moved into cyber space.

Cyber espionage in the energy industry

The Dragonfly cyber espionage campaign is believed to have been active since at least 2011, targeting defense and aviation companies in the U.S. and Canada first. But it showed up on Internet and IT security companies' radar screens in early 2013, when it shifted its focus to U.S. and European energy firms.

The Dragonfly group makes use of bespoke malware and a variety of online infiltration tools and methods. Dragonfly attacks were carried out in three phases, Symantec elaborates:

• Sending malware in phishing emails to personnel in target firms;


• Watering-hole attacks in which websites commonly visited by those in the energy industry were compromised with an exploit kit; and finally,


• The “Trojanizing of legitimate software bundles belonging to three different ICS equipment manufacturers.”

Fortunately, Dragonfly hasn't brought down electricity grids or oil or natural gas pipelines, though it clearly holds the potential to do so. In contrast to the notorious Stuxnet, which was used to sabotage Iran's nuclear power program, Dragonfly's primary focus appears to be cyber espionage, according to Symantec.

The Cold War moves online

Furthermore, the sophistication and resources required to carry out Dragonfly suggests it is a state-sponsored operation. Time stamps indicate that it originated somewhere in Eastern Europe. As Symantec MSS Global Threat Response explains in its blog post:

“Dragonfly bears the hallmarks of a state-sponsored operation, displaying a high degree of technical capability. The group is well resourced, with a range of malware tools at its disposal and is capable of launching attacks through multiple attack vectors while compromising numerous third party websites in the process. Its main motive appears to be cyber espionage, with potential for sabotage a definite secondary capability.”

Internet connectivity is expanding fast and far beyond PCs, mobile communications devices, TVs and vehicles to include all manner of equipment and products, from wearable electronics and household appliances to smart electricity, water and gas meters, manufacturing and industrial control systems.

Global shipments of connected devices surpassed 1 billion in 2013 and are expected to approach 1.8 billion this year, according to a forecast from IDC.

With each of these devices a potential access point for cyber spies, terrorists and criminals, the onus is on individual users, as well as IT professionals and Internet security specialists, to carry out protective measures, including using Internet security software, diligently following secure-use practices and staying abreast of new potential threats.

*Image credits: 1) Fuel Fix; 2) Symantec