A hacking and cyberespionage group is currently targeting industrial control systems at energy companies. According to a survey by Symantec they have broken into 27 corporate networks so far. The Dragonfly group, also known as Energetic Bear is using spear phishing campaigns and malware-infected websites to collect credentials for corporate networks. Dragonfly has been active since at least 2011 and was exposed by security analysts in 2014. Afterwards, the group seemed to go underground and has only recently emerged again in the public eye. Symantec researchers refer to the current attacks as “Dragonfly 2.0” because they replicate many aspects of the previous attacks. The attacks target industrial control systems (ICS) which belong to companies that operate pipelines, generate electricity, and other energy-related companies. The Dragongly group appears to be particularly active in Switzerland, Turkey and North America.
Finger on the trigger
Security analysts assume that the Dragonfly group could take over numerous critical systems in the affected organizations if they wanted to. Energy supply is one of the most important areas of critical infrastructure. Successful attacks in this area have the potential to cause major chaotic incidents. The worst news of all is how these attacks continue to succeed: rather than developing new, sophisticated malware the group are still using readily available phishing tools to target companies (Phishery Toolkit, available on GitHub). Recipients of the phishing emails are prompted to run trojan-infected software, visit websites with hidden malicious code or download fake software updates (such as Flash Player). While these are quite powerful means to gain access to end devices and company networks, they can also be easily prevented with standard security tools. Passwords cannot be stolen if multi-factor authentication is required for logging in. As soon as multi-factor authentication is in place, even the most sophisticated campaigns to snare login credentials are useless.
Implement baseline protection and adapt to threats
In 2017, at a time when no week passes without major security incidents, it is negligent not to secure networks with multi-factor authentication – whether via SMS, card readers, or device certificates. If credentials can no longer be captured remotely using a keylogger, attacks become so much more difficult. For virtual private networks, multi-factor authentication (2FA or MFA) is now accepted as a standard security measure by employees once they have been made aware of reasons for this measure and the potential risks. This leads to the next major task: Only if employees are made aware that they are being targeted by cybercriminals, can they be expected to behave accordingly. Although employees understand that they are dealing with critical systems, they often do not feel affected personally by security concerns. As long as nothing serious happens, many are lulled into a false sense of security and do not appreciate the constant presence of threats and their potential consequences. The IT department and management must communicate the importance of handling threats correctly to employees. In addition to technical security measures such as multi-factor authentication, training and awareness campaigns can also help employees recognize and report risks.