Today, Symantec released another report on Dragonfly, a cyber-espionage group targeting the energy sector in the United States, as well as Turkey and Switzerland. As the report thoroughly details, the campaign has evolved beyond the initial phase of reconnaissance, and has shifted to gaining access to the operational systems of energy facilities. This transition elevates the intent beyond exploration and espionage towards an operational foundation necessary for sabotage and destruction. Importantly, as Mark Dufresne and I presented at BSidesLV this summer, attacks intended to sabotage and destroy are not new. Destructive attacks have been increasing in frequency, and are tightly linked to rising geopolitical tensions between the most conflict-prone country-pairs. In short, this latest news of deep intrusions into the energy sector fits in with a much larger and disconcerting pattern, and should not be viewed as an anomaly but rather the ‘state-of-the cyber state’ in 2017 and beyond.
Destructive Attacks: A Brief Overview
As the timeline below illustrates, destructive or sabotage attacks have targeted a range of critical infrastructure, media, and select, targeted organizations for the last decade. Importantly, while these kinds of attacks have been on the rise, there has been a marked spike in destructive attacks since late 2016. In December, the Ukraine power grid was struck again with destructive malware, later attributed to Russian-linked Crash Override. Crash Override is a highly customized malware with a wiper component, and is compiled to control the grid circuit switches and breakers. A few weeks earlier, Shamoon 2.0 surfaced, targeting Saudi government entities, infecting thousands of machines and spreading to Gulf states. Shamoon 2.0 was followed by the discovery of Stonedrill, another destructive malware targeting Saudi entities, but has also been discovered in at least one European organization.
These destructive attacks not only are expanding their target set, but also are innovating for additional effects. Just as Crash Override innovated in the sophisticated customization to control power grids, additional innovations in destructive malware have occurred this year. KillDisk, malware with a wiper component, has been linked to previous attacks on the Ukraine power grid as well as the shipping and financial sectors. It has recently been updated to encrypt files and contains a ransomware component. Conversely, NotPetya masqueraded as ransomware, but was likely a targeted wiper malware attack focused on Ukraine. Finally, Ireland’s EirGrid was compromised in April, and reported last month. It remains unclear whether destructive malware was installed, which could have resulted in a blackout. These are just those attacks that have been publicized or discovered. As the Dragonfly report makes clear, these campaigns can remain undiscovered for quite some time before discovery or public acknowledgement.
Phases of Tensions, Phases of Escalation
As the Symantec report well-articulates, Dragonfly 2.0 reflects an escalation from general intelligence gathering towards the sort of deeper access to and reconnaissance on control systems necessary for potential sabotage. These phases of escalation are increasingly common, and often coincide with escalating geopolitical tensions between countries. More often than not, the escalation to destructive attacks occurs between interstate rivals - pairs of countries that exhibit a higher propensity toward conflict. While not noted in the above timeline, the Dark Seoul gang, linked to North Korea, was among the first to combine wiper malware within a larger campaign in 2009, targeting the United States and South Korea with a combination of DDoS attacks and wiper malware. North Korea has a long history of integrating wiper malware with additional attack vectors, which often coincides closely with planned exercises, anniversaries of key events, or other geopolitical events such as the disintegration of the six-nation talks.
Similarly, Shamoon 2.0 manifests the escalation from the previous campaign, and the geopolitical tensions between Iran and Saudi Arabia. While there was a relative ‘cease fire’ of destructive attacks between the pair from 2012-15, following the Iran nuclear agreement there was a major escalation of tit-for-tat attacks on websites prior to Shamoon 2.0 and Stonedrill. Finally, Russia and Ukraine represent the most prominent use of destructive attacks, as well as the asymmetric and uni-directional use of these attacks by major powers on smaller countries. Unfortunately, many of these attack vectors and wiper malware are now in the wild, and are likely to be deployed by other groups similarly seeking larger effects and objectives.
Protecting Against Targeted Attacks
In many of these examples, private sector organizations are caught in the geopolitical crossfires, and often are viewed simply as collateral damage by the attackers. NotPetya (or “Nyetya”) may cost the shipping giant, Maersk, $300 million, even though by most accounts it was not the intended target. Because of these growing externalities to targeted attacks, it is important to remain cognizant of the attack vectors and protect against them accordingly.
First, although the energy sector is a prime target for destructive attacks, enterprises in other industries must also be prepared to protect against these kinds of attacks. Second, the Symantec report notes that Dragonfly uses a range of infiltration techniques to access a victim’s network, including “malicious emails, watering hole attacks, and Trojanized software.” Because destructive attacks, and targeted attacks in general, integrate a variety of intrusion techniques, prevention must be considered a top priority. This is why at Endgame we focus on prevention across the attack lifecycle - exploits, malware, and post-exploit techniques including living-off-the-land. Such an approach is necessary to protect against threats such as Dragonfly.
Conclusion
Today’s Symantec report on Dragonfly is just the latest reminder that attackers are increasingly brazen, and critical infrastructure remains a prime target. Unlike the series of publicized destructive attacks that have been slowly on the rise for the last decade, we see no proof of actual sabotage, but pre-positioning is probably underway. We should not panic that the grid is about to go down, but we must pay attention to the trend. Too often these attacks are viewed through a limited lens and remain on the radar for only a brief news cycle. This myopic view of these attacks overlooks the larger, escalatory increase in these attacks, especially within and between geopolitical rivals. As long as geopolitical tensions remain high, and with the growing open source proliferation of nation-state malware, this trend is unlikely to abate any time soon.