惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

博客园 - 三生石上(FineUI控件)
Martin Fowler
Martin Fowler
月光博客
月光博客
AI
AI
B
Blog
钛媒体:引领未来商业与生活新知
钛媒体:引领未来商业与生活新知
C
CXSECURITY Database RSS Feed - CXSecurity.com
WordPress大学
WordPress大学
GbyAI
GbyAI
L
Lohrmann on Cybersecurity
O
OpenAI News
Schneier on Security
Schneier on Security
P
Palo Alto Networks Blog
Cyber Security Advisories - MS-ISAC
Cyber Security Advisories - MS-ISAC
T
Troy Hunt's Blog
V2EX - 技术
V2EX - 技术
W
WeLiveSecurity
L
LINUX DO - 最新话题
人人都是产品经理
人人都是产品经理
S
Security Affairs
OSCHINA 社区最新新闻
OSCHINA 社区最新新闻
A
Arctic Wolf
Recorded Future
Recorded Future
Microsoft Security Blog
Microsoft Security Blog
Threat Intelligence Blog | Flashpoint
Threat Intelligence Blog | Flashpoint
G
GRAHAM CLULEY
N
Netflix TechBlog - Medium
TaoSecurity Blog
TaoSecurity Blog
C
Check Point Blog
Scott Helme
Scott Helme
cs.CV updates on arXiv.org
cs.CV updates on arXiv.org
Apple Machine Learning Research
Apple Machine Learning Research
PCI Perspectives
PCI Perspectives
www.infosecurity-magazine.com
www.infosecurity-magazine.com
Vercel News
Vercel News
The Hacker News
The Hacker News
Y
Y Combinator Blog
Latest news
Latest news
SecWiki News
SecWiki News
Hugging Face - Blog
Hugging Face - Blog
cs.AI updates on arXiv.org
cs.AI updates on arXiv.org
Google Online Security Blog
Google Online Security Blog
Webroot Blog
Webroot Blog
Google DeepMind News
Google DeepMind News
Recent Commits to openclaw:main
Recent Commits to openclaw:main
C
Cisco Blogs
博客园_首页
H
Hackread – Cybersecurity News, Data Breaches, AI and More
宝玉的分享
宝玉的分享
L
LINUX DO - 热门话题

stuxnet Archives - Security Affairs

Fast16: Pre-Stuxnet malware that targeted precision engineering software The role of a secret Dutch mole in the US-Israeli Stuxnet attack on Iran Iran hit by a more aggressive and sophisticated Stuxnet version Microsoft Attempts To Fix Stuxnet For The Third Time The Stuxnet vulnerability is still one of the most exploited flaws in the wild by hackers The alleged link between the Shadow Brokers data leak and the Stuxnet cyber weapon Malware posing as Siemens PLC application is targeting ICS worldwide SCADA Sssh! Don’t Talk, Filter it Shocking, a German nuclear plant suffered a disruptive cyber attack A malware was found in Iran petrochemical complexes, but it’s not linked to recent incidents
Dragonfly 2.0: the sophisticated attack group is back with destructive purposes
Pierluigi Paganini · 2017-09-07 · via stuxnet Archives - Security Affairs

Pierluigi Paganini September 07, 2017

While the first Dragonfly campaigns appear to have been a more reconnaissance phase, the Dragonfly 2.0 campaign seems to have destructive purposes.

Symantec has spotted a new wave of cyber attacks against firms in the energy sector powered by the notorious Dragonfly group.

The Dragonfly group, also known as Energetic Bear, has been active since at least 2011 when it targeted defense and aviation companies in the US and Canada.  Only in a second phase Dragonfly has focused its effort on US and European energy firms in early 2013.

In 2014, security experts at Symantec uncovered a new campaign targeting organizations located in the US, Italy, France, Spain, Germany, Turkey, and Poland.

Dragonfly gang conducted a cyber espionage campaign against energy grid operators, major electricity generation firms, petroleum pipeline operators, and energy industry industrial equipment providers.

According to the JAR report published by the US Department of Homeland Security, Dragonfly was Russian APT actor linked to the Government.

The infamous group remained under the radar since December 2015, but now the researchers pointed out Dragonfly targeted energy companies in Europe and the US.

This time the attackers aimed to control or even sabotage operational systems at energy facilities.

“The Dragonfly group appears to be interested in both learning how energy facilities operate and also gaining access to operational systems themselves, to the extent that the group now potentially has the ability to sabotage or gain control of these systems should it decide to do so,” reads the report published by Symantec.

According to Symantec, the Dragonfly 2.0 campaign begun in late 2015, threat actors used same TTPs of previous campaigns.

“The energy sector in Europe and North America is being targeted by a new wave of cyber attacks that could provide attackers with the means to severely disrupt affected operations. The group behind these attacks is known as Dragonfly.” reads the analysis published by Symantec.”The group has been in operation since at least 2011 but has re-emerged over the past two years from a quiet period following exposure by Symantec and a number of other researchers in 2014. This “Dragonfly 2.0” campaign, which appears to have begun in late 2015, shares tactics and tools used in earlier campaigns by the group.”

Researchers discovered many similarities between earlier Dragonfly campaigns and recent attacks.

The energy sector has become a privileged target for state-sponsored hackers over the last two years, let’s think for example of power outages caused in Ukraine in 2015 and 2016 that were attributed to Russian APT groups.

Symantec believes the group is very advanced, it operates to make hard the attribution of the attacks. Below some of the tactics employed by the hackers:

  • The attackers used more generally available malware and “living off the land” tools, such as administration tools like PowerShell, PsExec, and Bitsadmin, which may be part of a strategy to make attribution more difficult. The Phishery toolkit became available on Github in 2016, and a tool used by the group—Screenutil—also appears to use some code from CodeProject.
  • The attackers also did not use any zero days. As with the group’s use of publicly available tools, this could be an attempt to deliberately thwart attribution, or it could indicate a lack of resources.
  • Some code strings in the malware were in Russian. However, some were also in French, which indicates that one of these languages may be a false flag.

The experts noticed most attacker activity in organizations in the US, Turkey, and Switzerland.

dragonfly 2

Phishing emails spotted by Symantec were created with the Phishery toolkit in the attempt to steal victims’ credentials via a template injection attack.

The attackers also used watering hole attacks to harvest network credentials, they targeted websites likely to be visited by personnel involved in the energy sector.

Symantec reported that at least in one case, the watering hole attack was used to deliver the Goodor backdoor via PowerShell 11 days later.

“Symantec also has evidence to suggest that files masquerading as Flash updates may be used to install malicious backdoors onto target networks—perhaps by using social engineering to convince a victim they needed to download an update for their Flash player. Shortly after visiting specific URLs, a file named “install_flash_player.exe” was seen on victim computers, followed shortly by the Trojan.Karagany.B backdoor.” continues the analysis.

While the first Dragonfly campaigns appear to have been a more reconnaissance phase, the Dragonfly 2.0 campaign seems to have destructive purposes.

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

Security Affairs –  (Dragonfly, hacking)

[adrotate banner=”5″]

[adrotate banner=”13″]