An increase of dangerous Advanced Persistent Threats (APT) attacks was reported by Symantec last week. The sophisticated attack group Dragonfly (also known as Energetic Bear), is reportedly behind. Dragonfly 2.0, as this wave of attacks is dubbed, appears to have begun already in 2015 and share tactics earlier used by the group to infiltrate critical infrastructure control systems.

The attacks are primarily targeted at the energy sector and have already compromised numerous organizations, enabling Dragonfly to spy and gather intelligence about how critical energy control systems work. If this wasn’t critical enough on its own, the group now has the opportunity to “flip the power switch at will”, which could cause major blackouts and sabotage entire countries’ energy infrastructure. Previous similar attacks were seen in 2015 when “BlackEnergy” caused major blackouts in Ukraine.

The attacks start by targeted phishing campaigns or watering hole tactics, with the purpose of stealing user credentials. The emails contained specific content tailored to the energy sector, making it more likely that employees would perceive the emails as legitimate. Subsequently installing a combination of either Trojans or Backdoor malware, enabling the group to gain access to critical infrastructure controls. Once Dragonfly gains this access, they can quietly gather intelligence about the systems and use the credentials later on as they desire.

The re-emergence of Dragonfly proves that vulnerabilities associated with often “outdated” SCADA systems, which are not designed to be secure in the modern threat landscape are still a threat to be taken seriously. It can be difficult to identify if an infrastructure control system has been compromised, and the group can roam around within the systems disguised as a trusted employee and therefore “go under the radar” without being detected in time.

We are yet to see the full potential of this attack, and what Dragonfly plans to do with the control access gained during the past years. However, the worst-case scenario could mean disruption of the power grid, resulting in huge damages to organizations and national infrastructure.

LogPoint enables you to detect and remain aware of Dragonfly and will continue to release updates if the threat evolves.