Emerging Threat: Dragonfly / Energetic Bear – APT Group
On June 30th 2014, Symantec Security Response released a whitepaper detailing an ongoing cyber espionage campaign dubbed Dragonfly (aka Energetic Bear). The attackers appear to have been in operation since at least 2011. They managed to compromise a number of strategically important organizations for spying purposes and could have caused damage or disruption to energy supplies in affected countries. The two primary tools the group uses are Remote Access Trojans (RAT) named Backdoor.Oldrea and Trojan.Karagany.
Dragonfly initially targeted defence and aviation companies in the US and Canada before shifting its focus mainly to US and European energy firms in early 2013. Among the targets of Dragonfly were energy grid operators, major electricity generation firms, petroleum pipeline operators, and Energy industry industrial control system (ICS) equipment manufacturers. The majority of the victims were located in the United States, Spain, France, Italy, Germany, Turkey, and Poland.
Tactics, Techniques, Procedures (TTP)
The Dragonfly group uses attack methods which are centred on extracting and uploading stolen data, installing further malware onto systems, and running executable files on infected computers. It is also capable of running additional plugins, such as tools for collecting passwords, taking screenshots, and cataloguing documents on infected computers.
The first phase of Dragonfly’s attacks consisted of the group sending malware in phishing emails to personnel in target firms. In the second phase, the group added watering hole attacks to its offensive, compromising websites likely to be visited by those working in the energy sector in order to redirect them to websites hosting an exploit kit. The exploit kit in turn delivered malware to the victim’s computer. The third phase of the campaign was the Trojanizing of legitimate software bundles belonging to three different ICS equipment manufacturers.
Well resourced, possibly State-Sponsored
Dragonfly bears the hallmarks of a state-sponsored operation, displaying a high degree of technical capability. The group is well resourced, with a range of malware tools at its disposal and is capable of launching attacks through multiple attack vectors while compromising numerous third party websites in the process. Its main motive appears to be cyber espionage, with potential for sabotage a definite secondary capability.
This campaign follows in the footsteps of Stuxnet, which was the first known major malware campaign to target ICS systems. While there are parallels between the motivations behind the Stuxnet malware and the Dragonfly attack group, Dragonfly appears to be focused more on espionage, whereas Stuxnet was designed specifically for sabotage.
Analysis of the compilation timestamps on the malware used by the attackers indicate that the group mostly worked between Monday and Friday, with activity mainly concentrated in a nine-hour period that corresponded to a 9am to 6pm working day in the UTC +4 time zone. Based on this information, it is likely the attackers are based in Eastern Europe.
Prior to publication of the whitepaper, Symantec notified affected victims and relevant national authorities, such as Computer Emergency Response Centres (CERTs) that handle and respond to Internet security incidents.
THREAT TECHNICAL DETAILS:
Remote Access Tool/Trojan (RAT)
Dragonfly uses two main pieces of malware in its attacks. Both are remote access tool (RAT) type malware which provide the attackers with access and control of compromised computers. Dragonfly’s favored malware tool is Backdoor.Oldrea, which is also known as Havex, or the Energetic Bear RAT. Oldrea acts as a back door for the attackers on to the victim’s computer, allowing them to extract data and install further malware.
Oldrea appears to be custom malware, either written by the group itself or created for it. This provides some indication of the capabilities and resources behind the Dragonfly group.
Once installed on a victim’s computer, Oldrea gathers system information, along with lists of files, programs installed, and root of available drives. It will also extract data from the computer’s Outlook address book and VPN configuration files. This data is then written to a temporary file in an encrypted format before being sent to a remote command-and-control (C&C) server controlled by the attackers.
The majority of C&C servers appear to be hosted on compromised servers running content management systems, indicating that the attackers may have used the same exploit to gain control of each server. Oldrea has a basic control panel which allows an authenticated user to download a compressed version of the stolen data for each particular victim.
The second main tool used by Dragonfly is Trojan.Karagany. Unlike Oldrea, Karagany was available on the underground market. The source code for version 1 of Karagany was leaked in 2010. Symantec believes that Dragonfly may have taken this source code and modified it for its own use. This version is detected by Symantec as Trojan.Karagany!gen1.
Karagany is capable of uploading stolen data, downloading new files, and running executable files on an infected computer. It is also capable of running additional plugins, such as tools for collecting passwords, taking screenshots, and cataloguing documents on infected computers.
Symantec found that the majority of computers compromised by the attackers were infected with Oldrea. Karagany was only used in around 5% of infections. The two pieces of malware are similar in functionality and what prompts the attackers to choose one tool over another remains unknown.
The most ambitious attack vector used by Dragonfly was the compromise of a number of legitimate software packages. Three different Industrial Control System (ICS) equipment manufacturers were targeted and malware was inserted into the software bundles they had made available for download on their websites. All three companies made equipment that is used in a number of industrial sectors, including energy.
The first identified Trojanized software was a product used to provide VPN access to programmable logic controller (PLC) type devices. The vendor discovered the attack shortly after it was mounted, but there had already been 250 unique downloads of the compromised software.
The second company to be compromised was a European manufacturer of specialist PLC type devices. In this instance, a software package containing a driver for one of its devices was compromised. Symantec estimates that the Trojanized software was available for download for at least six weeks in June and July 2013.
The third firm attacked was a European company which develops systems to manage wind turbines, bio-gas plants, and other energy infrastructure. Symantec believes that compromised software may have been available for download for approximately ten days in April 2014.
The Dragonfly group is technically adept and able to think strategically. Given the size of some of its targets, the group found a “soft underbelly” by compromising suppliers, which are invariably smaller and less protected.
- Aviation Industry – US and Canada (Pre 2013)
- Defence Industry – US and Canada (Pre 2013)
- Energy Industry – US and Europe (Spain, France, Italy, Germany, Turkey, Poland)
- Energy Grid Operators
- Major Electricity Generation Firms
- Petroleum Pipeline Operators
- Energy Industry, Industrial Control System (ISC) Equipment Manufacturers
- Spear Phishing, Email Spam
- February 2013 – June 2013
- 7 organizations targeted
- 1-84 emails sent to each organization
- Sent to Executives and Senior employees
- Sent from single Gmail account
- Subject lines: “The Account” or “Settlement of Delivery Problem”
- Emails contained a malicious PDF
- Watering Hole Attacks, Exploit Kits
- Watering Holes consist of compromise of energy-related websites
- iFrame injected into each site
- Redirects visitors to another compromised legitimate website
- Compromised website hosts Lightsout Exploit Kit
- Lightsout Exploit Kit
- Exploits Java or Internet Explorer
- Installs Backdoor.Oldrea or Trojan.Karagany on the victim computer
- Hello Exploit Kit
- Since September 2013
- Identifies installed browser plugins
- Victims redirected to URL which determines best exploit to use based on collected information
- Remote Access Tools/Trojans (RAT)
- Backdoor.Oldrea (aka Havex, aka Energetic Bear RAT)
- Trojanized Software
- Compromise of legitimate software packages
- Industrial Control System (ICS) equipment manufacturers
- Sabotage as a definite secondary capability
SYMANTEC MSS SOC DETECTION CAPABILITIES:
For customers with our IDS/IPS Security Management services, vendor-based signatures will be automatically deployed, as per the vendor’s recommendation. If you would like further information regarding the signature states on your devices, or would like to request the activation of a specific signature, the Analysis Team can be reached by requesting help via phone, e-mail, chat, or by visiting the MSS portal at https://mss.symantec.com.
For customers with monitor-only IDS/IPS devices, Symantec MSS stands ready to provide security monitoring once your IDS/IPS vendor releases signatures and those signatures are enabled on your monitored devices.
MSS SOC Analytics Detection
- Malicious URL (WSM) Signatures
- [MSS Threat Intel - Regex] Backdoor.Oldrea (Havex RAT) C2
- [MSS Threat Intel - Hash] Backdoor.Oldrea (Havex RAT) C2
- [MSS URL Detection] Possible Backdoor.Oldrea Command and Control Communications
- [MSS URL Detection] Possible Backdoor.Oldrea C2 Communications (Regex)
- [MSS URL Detection] Possible Trojan.Karagany Command and Control Communications
- [MSS Threat Intel - Hash] Lightsout Exploit Kit (Hello EK) landing page
- Palo Alto
- Snort/Emerging Threats (ET)
- Snort/SourceFire (VRT)
- System Infected: Backdoor.Oldrea Activity
- System Infected: Backdoor.Oldrea Activity 2
- System Infected: Karagany BOT Activity
- Web Attack: Ligthsout Exploit Kit
- Web Attack: Lightsout Toolkit Website 4
- Symantec.Cloud customers are protected from this threat.
This list represents a snapshot of current detection. Symantec MSS stands ready to provide security monitoring once additional vendors or additional detection is identified and enabled on your monitored devices. As threats evolve, detection for those threats can and will evolve as well.
- Symantec recommends customers use a layered approach to securing their environment, utilizing the latest Symantec technologies, including enterprise-wide security monitoring from Edge to Endpoint.
- Symantec recommends that all customers follow IT security best practices. These will help mitigate the initial infection vectors used by most malware, as well as prevent or slow the spread of secondary infections.
- Minimum Recommended Best Practices Include:
- Use/Require strong user passwords (8-16+ alphanumeric characters, with at least 1 capital letter, and at least 1 special character)
- Disable default user accounts
- Educate users to void following links to untrusted sites
- Always execute browsing software with least privileges possible
- Turn on Data Execution Prevention (DEP) for systems that support it
- Maintain a regular patch and update cycle for operating systems and installed software
- Deploy network intrusion detection/prevention systems to monitor network traffic for malicious activity.
- For technologies not monitored/managed by MSS, ensure all signatures are up to date, including endpoint technologies.
- Ensure all operating systems and public facing machines have the latest versions and security patches, and antivirus software and definitions up to date.
- Ensure systems have a running firewall, unnecessary ports are closed/blocked, and unused services are disabled.
- To reduce the impact of latent vulnerabilities, always run non-administrative software as an unprivileged user with minimal access rights.
- Do not follow links or open email attachments provided by unknown or untrusted sources.
- Ensure staff is educated on Social Engineering and Phishing techniques.