There were reports of a highly experienced, and possibly state-sponsored hacking group – codenamed ‘Dragonfly’ gearing up for fresh sabotage cyberattacks on the energy sector in Europe and North America. Moreno Carullo, Co-Founder and CTO at Nozomi commented below.
Moreno Carullo, Co-Founder and CTO at Nozomi Networks:
“Deviating from the 2014 wave of DragonFly threats, which targeted pharmaceutical firms, DragonFly 2.0 appears to have been weaponised to specifically target industrial control systems (ICS) field devices, and then feeds that information back to the command and control server which will be monitored by the attackers.
“Rather than installing immediately on infection this latest iteration of DragonFly bides its time, waiting eleven days before automatically installing a ‘backdoor’. Using this new entrance, the attacker can then install or download applications to infected computers, particularly targeting Windows XP with known vulnerabilities, and even circumventing permission restrictions on user accounts.
“Our research supports that this version looks to explore ICS networks in depth. This knowledge would give attackers access to operational systems which could potentially be used for disruptive purposes.
“Organisations in a range of industries that are concerned about DragonFly 2.0 effecting their critical operational systems should apply real-time ICS monitoring and detection that can identify the presence of DragonFly in their operations and take steps to block or remediate it”