A Dragonfly in the Ointment: Cyber Attacks on the Energy Sector May Signal Dark Days Ahead

There are indications that Dragonfly is the work of a nation-state actor, one engaged in what the military would call “operational preparation of the environment” — operations taken in advance of a potential attack.

The hacking organization was first spotted in 2014, and appears to be rearing its head again. At first glance, the group appeared to be hacking indiscriminately, but on closer examination, Symantec has concluded that the group was specifically targeting organizations in the energy sector. In addition, security firm FireEye identified four breaches in 2014, potentially giving Dragonfly access to targets such as power grid systems and manufacturing plants.

After an apparent two-year hiatus of sorts, Dragonfly appears ready for round two. Symantec has been able to track the group's activity to organizations in the U.S., Turkey and Switzerland.

The malware tools used by the hacking group are diverse and customized, with certain tools used unavailable for purchase, even on the black market. The methods it uses to successfully deposit the malware on targeted systems are also wide-ranging. Malicious spear-phishing email campaigns appear to be Dragonfly's weapon of choice. One such campaign used an invitation to a New Year's Eve party targeted at energy sector employees; another included highly specific content related to the energy sector in an attempt to goad the employees into opening the attached malicious document; and a third campaign tried to rope in employees by addressing general business concerns.

In addition to phishing campaigns, the group used “watering hole” techniques, infecting the websites that employees working in the energy sector would visit, which would, in turn, infect the employees' workstations in an attempt to harvest network credentials. Those credentials were then used in follow-up attacks, granting Dragonfly additional access. The group didn't stop there, however. It also created trojanized, or infected, versions of standard Microsoft Windows applications that, when installed, provided Dragonfly with backdoor access into workstations or servers. Dragonfly also administered fake notifications that attempted to trick employees into installing malware by claiming that a particular program or web plugin, like Adobe Flash, was out of date.

These attacks often gave Dragonfly access to IT systems, but the line between IT and control systems is becoming increasingly less distinct with growing reliance on advanced technologies. To enhance process efficiency, productivity, safety and regulatory compliance, IT systems now tend to directly interface with their control system counterparts, rendering many previously “air-gapped” systems vulnerable.

The Risks

One need not have a wild imagination to predict what this group and others like it could be capable of if they decided to transition from preparatory attacks to disruptive or destructive attacks. In fact, one needs no imagination at all, as the world has already seen attacks on the energy sector.

For example, in August 2012, Saudi Aramco, one of the world's largest oil companies, suffered an attack that infected over 30,000 workstations. The devastation to IT systems was so severe that the company, likely worth over 1 trillion dollars, was forced to resort to typewriters and fax machines to conduct business. It took over five months to restore service. In December 2015, hackers in Ukraine took down substations and backup power supplies, cutting off power to over 230,000 Ukrainian residents. Fortunately, the breakers attacked by the hackers had a manual override function, limiting the damage. Security experts have noted, however, that the attack was planned and thought through. In other words, the attack on this system did not occur by sheer happenstance. Sixteen of the substations attacked were rendered completely unresponsive to remote input, requiring manual control to keep the power running.

Unfortunately, power grids in other countries, like the U.S. and the United Kingdom, may not have as many manual backup systems. An attack like the one executed in Ukraine could be far more damaging if undertaken against more modern systems, which may lack manual fail-safes. Millions could be at risk of losing power and there is no telling how long such virtual damage would take to repair. A foreign government could use methods like this to cripple an adversary, or a private group could use its access to hold a government for ransom. Plus, there is always the potential for a bad actor to merely inflict damage with no ulterior motive.

Furthermore, a direct attack on a power station or energy sector-based organization itself is only one way to infiltrate IT and operational control systems. A group like Dragonfly is also capable of attacking the supply chain, choking off access to core components required to meet energy needs. Subcontractors, used often by energy companies, provide an additional point of entry. Poor security on behalf of subcontractors or other third parties, coupled with broad access granted by the contracting party, can be the equivalent of locking the front door and windows, only to leave the back door to a home wide open before departing for a weeks-long vacation.

What to Do

This is not to say that a crippling attack against the energy sector is easy. The likelihood of a successful cyberattack depends on an attacker's ability to defeat a number of factors, including utility access controls, intrusion detection capabilities, personnel awareness and back-up measures. The decentralized nature of critical infrastructure in the U.S. and Europe, while providing many attack vectors, also means that a truly systemic attack would require large-scale coordination. As the Idaho National Laboratory assessed in 2016, to “impact a large portion of the power grid, an attacker would likely need to gain access to and compromise multiple generation or transmission facilities simultaneously, target utility control centers, or gain entry to a system providing widespread access.”

But, it is possible, and determined actors, especially nation-states, have the capability to do serious damage. As the former U.S. Director of National Intelligence stated before the U.S. House Permanent Select Committee on Intelligence in 2015: “Politically motivated cyber attacks are now a growing reality, and foreign actors are reconnoitering and developing access to U.S. critical infrastructure systems, which might be quickly exploited for disruption if an adversary's intent became hostile.”

Ultimately, therefore, protecting a nation's energy systems requires that both governments and the private sector step up their efforts to avoid a cybersecurity calamity.

As stated in the recent NAIC Critical Infrastructure report, governments must strengthen their policy on infrastructure resilience in the face of a cyber attack by better assisting owners and operators to scan and sanitize their systems of any existing malware; encouraging growth of cybersecurity expertise; heightening deterrence against criminal and nation-state hackers; enhancing actionable information sharing (including of classified intelligence); and further assisting even the smallest operations to make cyber improvements.

At the same time, the private sector should strongly consider improving its cybersecurity strategies. In the U.S., the North American Electric Reliability Corporation (NERC) is currently the only regulatory body with mandatory standards, though they are compulsory only for designated Bulk Electricity Suppliers. Over and above NERC, which other energy suppliers largely look to for guidance, there are a number of resources available and steps that private entities can take.

For example, the National Institute of Standards and Technology (NIST) released its “Framework for Improving Critical Infrastructure Cybersecurity,” which delineates risk-based methodologies and best practices for improving critical infrastructure cyber defenses.

The U.S. Department of Homeland Security publishes recommendations as well, including its “Seven Steps to Effectively Defend Industrial Control Systems.” In Europe, the European Parliament adopted the Directive on Security of Network and Information Systems (NIS Directive) on July 6, 2016. This directive sets out risk management and reporting obligations for infrastructure providers. Unlike most U.S. Government issued guidance, the European directive requires that infrastructure providers in Europe take action under certain circumstances.

While these guides and directives are very helpful, cybersecurity should never be thought of as a check-the-box endeavor, but rather as an ongoing process or assessment, anticipation, mitigation and remediation.

One area that every owner and operator should carefully examine is whether any touchpoints exist between IT systems and industrial control systems, and, if so, whether to separate them or how otherwise to manage the risk of cross-infection. Additionally, owners and operators should consider a layered defense approach, with multiple controls. As Symantec suggests, organizations should “[e]mphasize multiple, overlapping, and mutually supportive defensive systems to guard against single point failures in any specific technology or protection method.” Another area to explore is whether manual backup or override controls already exist and are functional, or perhaps should be installed, which can be quite helpful during a cyberattack, as we have seen in Ukraine. Actively engaging in information sharing with governments and among owners and providers can also prove worthwhile.

Conclusion

Ultimately, the notion of a widespread attack on the energy sector may be hard to fathom, but it is something we must anticipate, better prepare for, and work to prevent. It is important that governments, organizations, and private companies all address this threat head-on with a sense of urgency. Although it is impossible to completely mitigate threats, proper training, built in redundancies, and sound, risk-based planning will help to reduce the threat of a crippling attack on our energy infrastructure, and allow those affected bounce back more quickly from any that do occur.

*****
Michael Bahar ([email protected]) is the U.S. lead of the global Cybersecurity and Privacy team at Eversheds Sutherland. He previously served as staff director and general counsel to the minority staff of the U.S. House of Representatives Permanent Select Committee on Intelligence and as deputy legal adviser to the National Security Council under President Obama. Trevor Satnick ([email protected]) is a data privacy and security consultant at Eversheds Sutherland (US) in New York. Mark Thibodeaux ([email protected]) is Deputy Leader of the Eversheds Sutherland (US) Cybersecurity and Privacy team and is a commercial litigator. The authors would like to acknowledge the contributions of Craig Rogers, colleague at Eversheds Sutherland, in the preparation of this article.

On Sept. 6, 2017, cybersecurity company Symantec reported an increased effort among cyber attackers to target the energy sector, both in Europe and the United States. The group believed to be behind the most recent intrusions into energy sector systems is known as Dragonfly.

These recent attacks may not yet have resulted in damages or disruption, but the group appears to be positioning itself to learn how the targeted energy facilities operate while attempting to gain access to operational control systems, if they have not done so already. With mounting evidence of preparatory attacks against the energy sector, owners and operators of critical infrastructure cannot solely rely on governments to protect them — even though there is much that governments can and must do. Organizations within the energy sector must be more vigilant than ever if hacking groups like Dragonfly are to be kept out of both IT and industrial control systems.

Dragonfly and Its Tactics

There are indications that Dragonfly is the work of a nation-state actor, one engaged in what the military would call “operational preparation of the environment” — operations taken in advance of a potential attack.

The hacking organization was first spotted in 2014, and appears to be rearing its head again. At first glance, the group appeared to be hacking indiscriminately, but on closer examination, Symantec has concluded that the group was specifically targeting organizations in the energy sector. In addition, security firm FireEye identified four breaches in 2014, potentially giving Dragonfly access to targets such as power grid systems and manufacturing plants.

After an apparent two-year hiatus of sorts, Dragonfly appears ready for round two. Symantec has been able to track the group's activity to organizations in the U.S., Turkey and Switzerland.

The malware tools used by the hacking group are diverse and customized, with certain tools used unavailable for purchase, even on the black market. The methods it uses to successfully deposit the malware on targeted systems are also wide-ranging. Malicious spear-phishing email campaigns appear to be Dragonfly's weapon of choice. One such campaign used an invitation to a New Year's Eve party targeted at energy sector employees; another included highly specific content related to the energy sector in an attempt to goad the employees into opening the attached malicious document; and a third campaign tried to rope in employees by addressing general business concerns.

In addition to phishing campaigns, the group used “watering hole” techniques, infecting the websites that employees working in the energy sector would visit, which would, in turn, infect the employees' workstations in an attempt to harvest network credentials. Those credentials were then used in follow-up attacks, granting Dragonfly additional access. The group didn't stop there, however. It also created trojanized, or infected, versions of standard Microsoft Windows applications that, when installed, provided Dragonfly with backdoor access into workstations or servers. Dragonfly also administered fake notifications that attempted to trick employees into installing malware by claiming that a particular program or web plugin, like Adobe Flash, was out of date.

These attacks often gave Dragonfly access to IT systems, but the line between IT and control systems is becoming increasingly less distinct with growing reliance on advanced technologies. To enhance process efficiency, productivity, safety and regulatory compliance, IT systems now tend to directly interface with their control system counterparts, rendering many previously “air-gapped” systems vulnerable.

The Risks

One need not have a wild imagination to predict what this group and others like it could be capable of if they decided to transition from preparatory attacks to disruptive or destructive attacks. In fact, one needs no imagination at all, as the world has already seen attacks on the energy sector.

For example, in August 2012, Saudi Aramco, one of the world's largest oil companies, suffered an attack that infected over 30,000 workstations. The devastation to IT systems was so severe that the company, likely worth over 1 trillion dollars, was forced to resort to typewriters and fax machines to conduct business. It took over five months to restore service. In December 2015, hackers in Ukraine took down substations and backup power supplies, cutting off power to over 230,000 Ukrainian residents. Fortunately, the breakers attacked by the hackers had a manual override function, limiting the damage. Security experts have noted, however, that the attack was planned and thought through. In other words, the attack on this system did not occur by sheer happenstance. Sixteen of the substations attacked were rendered completely unresponsive to remote input, requiring manual control to keep the power running.

Unfortunately, power grids in other countries, like the U.S. and the United Kingdom, may not have as many manual backup systems. An attack like the one executed in Ukraine could be far more damaging if undertaken against more modern systems, which may lack manual fail-safes. Millions could be at risk of losing power and there is no telling how long such virtual damage would take to repair. A foreign government could use methods like this to cripple an adversary, or a private group could use its access to hold a government for ransom. Plus, there is always the potential for a bad actor to merely inflict damage with no ulterior motive.

Furthermore, a direct attack on a power station or energy sector-based organization itself is only one way to infiltrate IT and operational control systems. A group like Dragonfly is also capable of attacking the supply chain, choking off access to core components required to meet energy needs. Subcontractors, used often by energy companies, provide an additional point of entry. Poor security on behalf of subcontractors or other third parties, coupled with broad access granted by the contracting party, can be the equivalent of locking the front door and windows, only to leave the back door to a home wide open before departing for a weeks-long vacation.

What to Do

This is not to say that a crippling attack against the energy sector is easy. The likelihood of a successful cyberattack depends on an attacker's ability to defeat a number of factors, including utility access controls, intrusion detection capabilities, personnel awareness and back-up measures. The decentralized nature of critical infrastructure in the U.S. and Europe, while providing many attack vectors, also means that a truly systemic attack would require large-scale coordination. As the Idaho National Laboratory assessed in 2016, to “impact a large portion of the power grid, an attacker would likely need to gain access to and compromise multiple generation or transmission facilities simultaneously, target utility control centers, or gain entry to a system providing widespread access.”

But, it is possible, and determined actors, especially nation-states, have the capability to do serious damage. As the former U.S. Director of National Intelligence stated before the U.S. House Permanent Select Committee on Intelligence in 2015: “Politically motivated cyber attacks are now a growing reality, and foreign actors are reconnoitering and developing access to U.S. critical infrastructure systems, which might be quickly exploited for disruption if an adversary's intent became hostile.”

Ultimately, therefore, protecting a nation's energy systems requires that both governments and the private sector step up their efforts to avoid a cybersecurity calamity.

As stated in the recent NAIC Critical Infrastructure report, governments must strengthen their policy on infrastructure resilience in the face of a cyber attack by better assisting owners and operators to scan and sanitize their systems of any existing malware; encouraging growth of cybersecurity expertise; heightening deterrence against criminal and nation-state hackers; enhancing actionable information sharing (including of classified intelligence); and further assisting even the smallest operations to make cyber improvements.

At the same time, the private sector should strongly consider improving its cybersecurity strategies. In the U.S., the North American Electric Reliability Corporation (NERC) is currently the only regulatory body with mandatory standards, though they are compulsory only for designated Bulk Electricity Suppliers. Over and above NERC, which other energy suppliers largely look to for guidance, there are a number of resources available and steps that private entities can take.

For example, the National Institute of Standards and Technology (NIST) released its “Framework for Improving Critical Infrastructure Cybersecurity,” which delineates risk-based methodologies and best practices for improving critical infrastructure cyber defenses.

The U.S. Department of Homeland Security publishes recommendations as well, including its “Seven Steps to Effectively Defend Industrial Control Systems.” In Europe, the European Parliament adopted the Directive on Security of Network and Information Systems (NIS Directive) on July 6, 2016. This directive sets out risk management and reporting obligations for infrastructure providers. Unlike most U.S. Government issued guidance, the European directive requires that infrastructure providers in Europe take action under certain circumstances.

While these guides and directives are very helpful, cybersecurity should never be thought of as a check-the-box endeavor, but rather as an ongoing process or assessment, anticipation, mitigation and remediation.

One area that every owner and operator should carefully examine is whether any touchpoints exist between IT systems and industrial control systems, and, if so, whether to separate them or how otherwise to manage the risk of cross-infection. Additionally, owners and operators should consider a layered defense approach, with multiple controls. As Symantec suggests, organizations should “[e]mphasize multiple, overlapping, and mutually supportive defensive systems to guard against single point failures in any specific technology or protection method.” Another area to explore is whether manual backup or override controls already exist and are functional, or perhaps should be installed, which can be quite helpful during a cyberattack, as we have seen in Ukraine. Actively engaging in information sharing with governments and among owners and providers can also prove worthwhile.

Conclusion

Ultimately, the notion of a widespread attack on the energy sector may be hard to fathom, but it is something we must anticipate, better prepare for, and work to prevent. It is important that governments, organizations, and private companies all address this threat head-on with a sense of urgency. Although it is impossible to completely mitigate threats, proper training, built in redundancies, and sound, risk-based planning will help to reduce the threat of a crippling attack on our energy infrastructure, and allow those affected bounce back more quickly from any that do occur.

*****
Michael Bahar ([email protected]) is the U.S. lead of the global Cybersecurity and Privacy team at Eversheds Sutherland. He previously served as staff director and general counsel to the minority staff of the U.S. House of Representatives Permanent Select Committee on Intelligence and as deputy legal adviser to the National Security Council under President Obama. Trevor Satnick ([email protected]) is a data privacy and security consultant at Eversheds Sutherland (US) in New York. Mark Thibodeaux ([email protected]) is Deputy Leader of the Eversheds Sutherland (US) Cybersecurity and Privacy team and is a commercial litigator. The authors would like to acknowledge the contributions of Craig Rogers, colleague at Eversheds Sutherland, in the preparation of this article.