Reports have recently emerged of an ongoing cyber espionage campaign conducted against the energy sector in a range of countries. Security researchers have identified firms operating energy grids, electricity generation, petroleum pipelines, and energy industry industrial equipment as primary targets. The campaign is assessed to originate from a cyber espionage group dubbed “Dragonfly” or “Energetic Bear”, and has utilised a range of malware, including remote access tools (RATs), which allow the attacker to take control of a computer from a remote location, to gain access to privileged systems. A key feature of this campaign has been the targeting of ICS (Industrial Control Systems) or SCADA (Supervisory Control And Data Acquisition) systems, which are used to manage large scale industrial equipment. While firms in a number of countries have been targeted, the majority are
The scale of the operation and the use of custom malware tools strongly suggests that the Dragonfly group is state sponsored. The group has previously targeted defence and aviation companies in North America, and utilises a high degree of technical expertise in developing malware and in its efforts to install the malware on targeted machines. The group has made significant use of so-called watering hole attacks, where a legitimate website is identified as likely to attract individuals working in the targeted industry. The website is then compromised by the attacker and malware is delivered to each visitor to the site.
The targeting of ICS systems in the energy field has been the subject of considerable media attention, particularly after the 2010 discovery of the Stuxnet malware in the ICS systems of Iranian nuclear processing facilities. Stuxnet was designed to manipulate the control systems of uranium centrifuges, causing the devices to be damaged. While the deployment of RATs on ICS systems does raise the potential for industrial sabotage, we assess that the current Dragonfly campaign is focused on espionage and system reconnaissance. We do however consider that this group and others like it will continue to target the energy industry in this manner for the coming twelve months at least.