The Dragonfly malware previously thought to be focused exclusively on the critical energy and chemical sectors is now thought to be more likely targeting pharmaceutical companies.
In the first of four reports from Belden, focused on executing the malicious code on systems that reflect real-world ICS configurations and observing the Dragonfly’s impact, some factors have been uncovered that suggest that a main target for Dragonfly is the intellectual property of pharmaceutical organizations.
Over the past few years, industrial infrastructure has been identified as a key target for hackers and government-sponsored cyber-warfare, attracting some of the most sophisticated cyber-attacks on record, including Stuxnet, Flame and Duqu.
Earlier in the year, security researchers spotted a new attack campaign using infected ICS/SCADA manufacturer websites as part of watering hole attacks to commit commercial espionage and take over industrial control systems—and Dragonfly was shown to be behind it, according to F-Secure. Earlier in the year, the remote access trojan (RAT) was used in the past to target energy firms as part of campaigns by a Russian group dubbed ‘Energetic Bear’ by Crowdstrike.
Dragonfly, a.k.a. Havex, is significant because it is the first one of the advanced attacks since Stuxnet to have payloads that target specific industrial control system (ICS) components.
“The interesting thing about Dragonfly is that it targeted ICS information not for the purpose of causing downtime, but for the purpose of intellectual property theft, likely for the purpose of counterfeiting,” explained Eric Byres, CTO of Tofino Security, a Belden brand. “CIOs and other executives need to know about this attack and be assured that there are techniques and products available to defend against it.”
The report found that out of thousands of possible ICS suppliers, the three companies most targeted by Dragonfly for trojanized software were not actually primary suppliers to energy facilities. Instead, all three offered products and services most commonly used by the pharmaceutical industry. Also, Dragonfly attack is very similar in nature to another campaign known as Epic Turla, and is likely managed by the same team. Epic Turla has been shown to have targeted the intellectual property of pharmaceutical companies.
And finally, the Dragonfly malware contains an industrial protocol scanner module that searches for devices on TCP ports 44818 (Omron, Rockwell Automation), 102 (Siemens) and 502 (Schneider Electric). These protocols and products have a higher installed base in packaging and manufacturing applications typically found in consumer packaged goods industries, such as pharmaceutical, rather than the energy industry.
“My research, coupled with my knowledge of the pharmaceutical industry, led me to conclude that it was the target of Dragonfly,” said Joel Langill of RedHat Cyber, an independent ICS security expert and author of the Belden-sponsored report. “The potential damage could include the theft of proprietary recipes and production batch sequence steps, as well as network and device information that indicate manufacturing plant volumes and capabilities.”
“Post-Dragonfly, it is important that manufacturing companies secure core ICS through up-to-date best-practice policies and industrially-focused security technologies,” said Byres. “We know now that Stuxnet and Flame remained hidden in their target networks for years – by the time worms like these do damage or steal trade secrets, it is too late to defend against them.”