A three-year campaign targeting US and European energy companies has intensified this year, according to security software and services firm Symantec.
The attacks bear the hallmarks of a hacking group that Symantec calls Dragonfly, which the company believes is a front for a state-led hacking operation. The company implied - but didn't explicitly state - that Dragonfly is connected with Russia.
"The Dragonfly group appears to be interested in both learning how energy facilities operate and also gaining access to operational systems themselves, to the extent that the group now potentially has the ability to sabotage or gain control of these systems should it decide to do so," claimed Symantec, adding that its customers ought to be protected against the activities of Dragonfly.
Symantec issued a research note on Dragonfly in June 2014, claiming that they had "managed to compromise a number of strategically important organisations for spying purposes and, if they had used the sabotage capabilities open to them, could have caused damage or disruption to energy supplies in affected countries".
The company suggested that Dragonfly was targeting energy grid operators, major electricity companies, oil pipeline operators and industrial equipment providers to the energy industry. The majority of the victims were located in the United States, Spain, France, Italy, Germany, Turkey, and Poland, it added.
Symantec claims that Dragonfly activity died down after it had been exposed in 2014, but restarted in December 2015, ratcheting up from around April this year.
"As it did in its prior campaign between 2011 and 2014, Dragonfly 2.0 uses a variety of infection vectors in an effort to gain access to a victim's network, including malicious emails, watering hole attacks, and Trojanised software," claimed Symantec in its latest report.
"The earliest activity identified by Symantec in this renewed campaign was a malicious email campaign that sent emails disguised as an invitation to a New Year's Eve party to targets in the energy sector in December 2015."
The group conducted further malicious email phishing campaigns during 2016 and 2017. "The emails contained very specific content related to the energy sector, as well as some related to general business concerns. Once opened, the attached malicious document would attempt to leak victims' network credentials to a server outside of the targeted organisation," it added.
Intriguingly, perhaps, the Dragonfly group was observed attempting to subvert legitimate software in order to deliver malware to victims - a tactic deployed in June's NotPetya malware outbreak in which the software update servers of a Ukrainian accounting software company were compromised to deliver a Trojanised software update.
That attack had also been linked with the Russian state, with the malware absorbing some of the leaked US National Security Agency (NSA) exploits before the Shadow Brokers group, which claimed responsibility for cracking the server on which they had been hosted, had publicly released them.
The group is using the evasion framework Shellter to develop Trojanised applications, Symantec added.
"Symantec also has evidence to suggest that files masquerading as [Adobe] Flash updates may be used to install malicious backdoors onto target networks—perhaps by using social engineering to convince a victim they needed to download an update for their Flash player. Shortly after visiting specific URLs, a file named "install_flash_player.exe" was seen on victim computers, followed shortly by the Trojan.Karagany.B backdoor.
"Typically, the attackers will install one or two backdoors onto victim computers to give them remote access and allow them to install additional tools if necessary. Goodor, Karagany.B, and Dorshel are examples of backdoors used, along with Trojan.Heriplor."
While cyber attacks on infrastructure can be perpetrated with the intention of sabotage, the latest Dragonfly campaign appears to be reconnaissance, claimed Symantec.
"While Symantec cannot definitively determine Dragonfly's origins, this is clearly an accomplished attack group.
"It is capable of compromising targeted organizations through a variety of methods; can steal credentials to traverse targeted networks; and has a range of malware tools available to it, some of which appear to have been custom developed. Dragonfly is a highly focused group, carrying out targeted attacks on energy sector targets since at least 2011, with a renewed ramping up of activity observed in the last year."
Kicking Palantir off of AWS is among their demands, too
Rafaela Vasquez was watching The Voice at the time of the crash, new evidence shows
PUBG price slashed on Steam after selling more than 50 million copies - as daily player numbers plunge
Use the same password for every website? It might be time to change them all