Dragonfly: Energy Companies Under Sabotage Threat Symantec Security Response



Similar documents
AT&T Global Network Client for Windows Product Support Matrix January 29, 2015

Secure Your Mobile Workplace

COMPARISON OF FIXED & VARIABLE RATES (25 YEARS) CHARTERED BANK ADMINISTERED INTEREST RATES - PRIME BUSINESS*

COMPARISON OF FIXED & VARIABLE RATES (25 YEARS) CHARTERED BANK ADMINISTERED INTEREST RATES - PRIME BUSINESS*

Analysis One Code Desc. Transaction Amount. Fiscal Period

Case 2:08-cv ABC-E Document 1-4 Filed 04/15/2008 Page 1 of 138. Exhibit 8

Modern Cyber Threats. how yesterday s mind set gets in the way of securing tomorrow s critical infrastructure. Axel Wirth

Enhanced Vessel Traffic Management System Booking Slots Available and Vessels Booked per Day From 12-JAN-2016 To 30-JUN-2017

Current counter-measures and responses by CERTs

A!Team!Cymru!EIS!Report:!Growing!Exploitation!of!Small! OfCice!Routers!Creating!Serious!Risks!

Using big data analytics to identify malicious content: a case study on spam s

PHISHING IN SEASON TAX TIME MALWARE, PHISHING AND FRAUD


Malware, Phishing, and Cybercrime Dangerous Threats Facing the SMB State of Cybercrime

Consumer ID Theft Total Costs

Ashley Institute of Training Schedule of VET Tuition Fees 2015

ACCOUNT TAKEOVER TO IDENTITY TAKEOVER

CENTERPOINT ENERGY TEXARKANA SERVICE AREA GAS SUPPLY RATE (GSR) JULY Small Commercial Service (SCS-1) GSR

1. Introduction. 2. User Instructions. 2.1 Set-up

Deep Security Vulnerability Protection Summary

Seven Strategies to Defend ICSs

BUGAT TROJAN JOINS THE MOBILE REVOLUTION

Security A to Z the most important terms

When attackers have reached this stage, it is not a big issue for them to transfer data out. Spencer Hsieh Trend Micro threat researcher

CITADEL TROJAN OUTGROWING ITS ZEUS ORIGINS

IBM Security Systems Trends and IBM Framework

The dramatic growth in mobile device malware. continues to escalate at an ever-accelerating. pace. These threats continue to become more

Trend Micro Incorporated Research Paper Adding Android and Mac OS X Malware to the APT Toolbox

QUARTERLY REPORT 2015 INFOBLOX DNS THREAT INDEX POWERED BY

The Nitro Attacks. Security Response. Stealing Secrets from the Chemical Industry. Introduction. Targets. Eric Chien and Gavin O Gorman

INDUSTRY OVERVIEW: RETAIL

Computing & Telecommunications Services Monthly Report March 2015

You ll learn about our roadmap across the Symantec and gateway security offerings.

Cisco 4Q11. Global Threat Report

2015 Settlement Calendar for ASX Cash Market Products ¹ Published by ASX Settlement Pty Limited A.B.N

End to End Security do Endpoint ao Datacenter

Better Together: Microsoft Office 365 & Symantec Office 365

INDUSTRY OVERVIEW: FINANCIAL

CAFIS REPORT

Data Center security trends

Big Data in Action: Behind the Scenes at Symantec with the World s Largest Threat Intelligence Data

2015 Media Pack Delivering the latest contact centre and customer service community news and insight

Employers Compliance with the Health Insurance Act Annual Report 2015

Stock Market Indicators: Historical Monthly & Annual Returns

Stanford Computer Security Lab. TrackBack Spam: Abuse and Prevention. Elie Bursztein, Peifung E. Lam, John C. Mitchell Stanford University

Types of cyber-attacks. And how to prevent them

Advanced Persistent Threats

Social Intelligence Report ADOBE DIGITAL INDEX Q4 2013

Unified Security, ATP and more

Overview. Introduction. Conclusions WINE TRIAGE. Zero day analysis. Symantec Research Labs (SRL)

Protecting against cyber threats and security breaches

43% Figure 1: Targeted Attack Campaign Diagram

Deep Security/Intrusion Defense Firewall - IDS/IPS Coverage Statistics and Comparison

Resource Management Spreadsheet Capabilities. Stuart Dixon Resource Manager

Symantec Managed Security Services The Power To Protect

Vulnerability Assessment & Compliance

Deep Security Intrusion Detection & Prevention (IDS/IPS) Coverage Statistics and Comparison

BCOE Payroll Calendar. Monday Tuesday Wednesday Thursday Friday Jun Jul Full Force Calc

Advanced Persistent Threats

Web. Paul Pajares and Max Goncharov. Connection. Edition. ios platform are also at risk, as. numbers via browser-based social.

Effectively Managing Data Breaches

Operation Liberpy : Keyloggers and information theft in Latin America

Anti-exploit tools: The next wave of enterprise security

Proposal to Reduce Opening Hours at the Revenues & Benefits Coventry Call Centre

Almost 400 million people 1 fall victim to cybercrime every year.

Detailed guidance for employers

Mobile Protection. Driving Productivity Without Compromising Protection. Brian Duckering. Mobile Trend Marketing

Streamlining Web and Security

Are you prepared to make the decisions that matter most? Decision making in healthcare

AgriLife Information Technology IT General Session January 2010

P/T 2B: 2 nd Half of Term (8 weeks) Start: 25-AUG-2014 End: 19-OCT-2014 Start: 20-OCT-2014 End: 14-DEC-2014

UP L13: Leveraging the full protection of SEP 12.1.x

P/T 2B: 2 nd Half of Term (8 weeks) Start: 26-AUG-2013 End: 20-OCT-2013 Start: 21-OCT-2013 End: 15-DEC-2013

Under the Hood of the IBM Threat Protection System

Accident & Emergency Department Clinical Quality Indicators

Context Threat Intelligence

P/T 2B: 2 nd Half of Term (8 weeks) Start: 24-AUG-2015 End: 18-OCT-2015 Start: 19-OCT-2015 End: 13-DEC-2015

W I S C O N S I N R E A L T O R S A S S O C I A T I O N Media Kit

Zscaler Cloud Web Gateway Test

Incident Response. Proactive Incident Management. Sean Curran Director

Transcription:

Dragonfly: Energy Companies Under Sabotage Threat Symantec Security Response Dragonfly: Western Energy Companies Under Sabotage Threat 1

What is Dragonfly? Ongoing cyberespionage campaign Targeting the energy sector in Europe and US Stealing information Capable of sabotage Dragonfly: Western Energy Companies Under Sabotage Threat 2

Targets Electricity infrastructure Electricity generation Industrial equipment providers Petroleum pipeline operators Dragonfly: Western Energy Companies Under Sabotage Threat 3

Target Locations Dragonfly: Western Energy Companies Under Sabotage Threat 4

The Dragonfly group In operation since at least 2011 Initially targeted defense and aviation companies in the US and Canada Shifted focus to US and European energy firms in early 2013 Priorities appear to be: Persistent access to targets Information stealing Sabotage Has the hallmarks of state sponsored operation Appear to be operating in the UTC +4 time zone Dragonfly: Western Energy Companies Under Sabotage Threat 5

Dragonfly employs three attack vectors Spam emails Watering hole attacks Compromising third party software Dragonfly: Western Energy Companies Under Sabotage Threat 6

Spam campaign Generic spam emails sent to senior employees and engineers Began in February 2013 and continued into June 2013 Emails bore one of two subject lines: The account or Settlement of delivery problem. Email disguised malware as PDF attachment Dragonfly: Western Energy Companies Under Sabotage Threat 7

Watering hole attacks Group compromised legitimate websites related to energy sector Began in May 2013 and continued into April 2014 Attacks redirected website visitors to other compromised legitimate websites hosting Lightsout Exploit Kit These sites dropped malware on to the victim s computer. Dragonfly: Western Energy Companies Under Sabotage Threat 8

Compromising third party software Three ICS equipment providers targeted Malware inserted into the software bundles they had made available for download on their websites Victims inadvertently downloaded Trojanized software when applying software updates By targeting suppliers, attackers found soft underbelly that provided a path into bigger companies Dragonfly: Western Energy Companies Under Sabotage Threat 9

Timeline of recent attacks June 2013 - July 2013 Company A Compromised and software trojanized May 13 - Apr 14 Watering-hole Attack Multiple energy related web sites compromised redirecting users to LOEK 16 Apr, 2014-30 Apr, 2014 Company C compromised Software Trojanized Feb 13 Mar 13 Apr 13 May 13 Jun 13 Jul 13 Aug 13 Sep 13 Oct 13 Nov 13 Dec 13 Jan 14 Feb 14 Mar 14 Apr 14 May 14 Jun 14 Jul 14 Aug 14 1 January, 2013 31 August, 2014 February 11, 2013 - June 19, 2013 Spam campaign September 1, 2013 DF group start using Hello EK (Lightsout v2) January 20, 2014 - January 30, 2014 Company B compromised and software trojanized 250 unique downloads Dragonfly: Western Energy Companies Under Sabotage Threat 10

Tools: Backdoor.Oldrea Remote access tool (RAT) type malware Custom malware, either written by the group itself or created for it Favoured tool: used in majority of attacks Acts as back door for attackers allowing them to extract data and install further malware Also known as Havex Dragonfly: Western Energy Companies Under Sabotage Threat 11

Tools: Trojan.Karagany Was available on the underground market. Source code leaked in 2010 Dragonfly appear to have modified it for its own use Capable of uploading stolen data, downloading new files and running executable files Can run plugins, for collecting passwords, taking screenshots, and cataloging documents on infected computers. Dragonfly: Western Energy Companies Under Sabotage Threat 12

Protection Symantec customers are protected from malware variants mentioned in this report. Detections are made by Symantec products using antivirus, Insight and behavioral technologies such as SONAR Symantec customers are protected from any attack using the exploits mentioned in this report when using Symantec products containing network threat protection/ips technologies Details on Symantec s protection technologies can be found here: http://www.symantec.com/page.jsp?id=star Dragonfly: Western Energy Companies Under Sabotage Threat 13

Summary Dragonfly is an ongoing threat Currently targeting energy sector in Europe and US Other sectors not immune, may be used as stepping stone Attacker capabilities persistent access to networks Information stealing Sabotage Well resourced with a range of technical capabilities Likely to be state-sponsored Presentation Identifier Goes Here 14

More Resources Blog http://www.symantec.com/connect/symantec-blogs/sr Twitter http://twitter.com/threatintel Whitepapers http://www.symantec.com/security_response/whitepaper s.jsp Dragonfly: Western Energy Companies Under Sabotage Threat 15

Thank you! Copyright 2012 Symantec Corporation. All rights reserved. Symantec and the Symantec Logo are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners. This document is provided for informational purposes only and is not intended as advertising. All warranties relating to the information in this document, either express or implied, are disclaimed to the maximum extent allowed by law. The information in this document is subject to change without notice. Dragonfly: Western Energy Companies Under Sabotage Threat 16