Last month, we updated our article on the Dragonfly malware to announce the research results by Joel Langill of RedHat Cyber, a leading independent ICS security expert. Joel's research showed that the Dragonfly campaign focused on pharmaceutical targets, rather than energy sector targets, as had been previously reported.
Today, we are releasing Part B of our white paper on Dragonfly called, "Analyzing the Malware." In it, Joel reports on the detailed analysis he made of the campaign's attack vectors, the malware itself, the Trojanized software content it created, and its command-and-control (C2) infrastructure.
If you are not aware of Dragonfly, you can read my earlier article, which provides an overview. Or, be aware that the reason we are focusing on it is because it was the first advanced malware since Stuxnet to have payloads that target ICS components.
In addition, Dragonfly was a technically accomplished and strategically executed campaign that signals a new era of threat – that of Offense in Depth.
The Dragonfly malware campaign used Offense in Depth tactics
to target pharmaceutical companies.
Industrial Cyber Security’s New Reality: Offense in Depth
The Dragonfly campaign consisted of a diversified arsenal of attack vectors, described below. Table 1: Dragonfly used multiple attack vendors as part of its Offense in Depth program. (Click here for larger image)
In addition, the Dragonfly offensive included numerous C2 websites that were used to deliver updated software modules to infected computers.
These payload modules carried out activities, such as:
- Collecting basic information on the infected system and its configuration
- Collecting ICS-related configuration files and VPN configuration files (including passwords)
- Itemizing all Windows hosts on local area networks
- Querying Windows hosts and PLCs for OPC-related services
- Attempting to create new OPC instances
- Listening for communications on TCP service ports commonly associated with industrial protocols
Does Your Risk Assessment Include These Threat Sources?
Dragonfly used an ingenious assortment of pathways to the control system. For example, the Trojanized software download attacks showed how trusted supply chain vendors can be used to deliver malicious payloads directly to difficult to reach endpoints, such as ICS equipment.
Interestingly, the Trojanized supplier software was installable by users with non-administrative accounts even though the legitimate software was blocked. Thus, even computers that have been "hardened" with secure local policies can be infected.
Finally, another remarkable aspect of Dragonfly was that its payloads gained permanent installation on engineering laptops and then recorded reconnaissance results from isolated ICS systems for later transmission to the C2 servers when the laptop was moved. Thus, mobile devices that are allowed to move from isolated ICS networks to less secure office networks, can relay information about the secure system to the attackers via the Internet.
Dragonfly used multiple pathways to get to control systems, such as supplier software, engineering laptops and Windows XP computers.
Evidence of Windows XP End of Service Risk
Over the last few months, we have written several articles about the risk to mission critical systems because of the End of Service (EOS) of Windows XP. The Dragonfly campaign provides evidence of this risk as the malware only targeted the 32-bit versions of supplier software downloads even though other versions were available.
This underscores the need for industry to take action now to secure core ICS, especially SIS systems, through up-to-date Defense in Depth best practices and industrially focused security technologies.
For more information on dealing with Windows XP EOS risk, see our white paper, "Windows XP End of Service – Practical Options for Industrial Applications."
Eric Byres Weighs in on the Dragonfly Malware
After reviewing the information presented in "Part B – Analyzing the Malware," Eric Byres commented:
"The combination of Dragonfly's Offense in Depth strategy and the fact that it circumvented traditional desktop security controls highlights the urgent need for matching Defense in Depth security on the plant floor. Not only do we need to defend the ICS devices, but industry also needs to consider better defenses for the ICS network.
For example, monitoring unauthorized HTTP traffic coming out of an ICS system would have been a very effective defense against this malware. Most ICS systems should not be communicating to Web servers on the Internet, especially ones with URLs like 'sinfulcelebs.freesexycomics.com.'
The fact that the Dragonfly campaign ran for almost a year without detection shows that the monitoring and control of ICS traffic (especially outbound traffic) is still unacceptably poor in many industries."
What are your thoughts on Dragonfly's Offense in Depth techniques? Will it affect your risk assessments? I look forward to hearing from you.
Today we released part two of a four-part series of white papers, "Defending Against the Dragonfly Cyber Security Attacks." The four parts are:
Once you download any part of this series you will receive email notification when the other parts are available.
To check on the status of the white papers, visit "Defending Against the Dragonfly Cyber Security Attacks."
- Blog: How Dragonfly Hackers and RAT Malware Threaten ICS Security
- Press release: Belden Research Reveals Dragonfly Malware Likely Targets Pharmaceutical Companies
- Dragonfly white paper status page: Dragonfly Industrial Cyber Security Updates
- US-CERT Vulnerability Summaries for Dragonfly:
- Securelist.com (Kaspersky Lab) Webpage: Energetic Bear: More Like a Crouching Yeti
Note: this page links to the Kaspersky Lab report on Dragonfly.
- Symantec Webpage: Dragonfly: Western Energy Companies Under Sabotage Threat
- Security Matters White Paper: Cyberespionage Campaign Hits Energy Companies
Windows XP End of Service Cyber Security Risk: