Dragonfly: Western Energy Companies Under Sabotage Threat
July 1st 2014
European Energy organisations are being targeted by Dragonfly, a cyber-espionage group, who has the capability to disrupt energy supplies.
What is Dragonfly?
Dragonfly is the name Symantec is using for a cyber-espionage group who have infiltrated a number of energy sector organisations within Europe. They are also known as Energetic Bear.
Dragonfly has used three main attack methods and installs malware allowing it to access and control infected computers. Dragonfly appears interested in espionage at this stage, however as it impacts Industrial Control Systems it has the capability to mount sabotage operations that could disrupt energy supplied across Europe.
Get Protected from Dragonfly
If you are an IT Force customer currently subscribed to our Symantec.cloud Endpoint Protection antivirus service then you are already protected against Dragonfly.
If you are not an IT Force customer and you are not using this antivirus service then you should follow the steps below.
- Make sure your security software is updated to the latest version
- Run regular full scans of your computers and backup your files
- Be vigilant and use the Security Best Practices as outlined by Symantec
- Use the free Norton Power Eraser tool to detect and clean up Dragonfly’s malware
Background to Dragonfly
It appears to have been in operation since at least 2011 and may have been active even longer than that. Dragonfly initially targeted defense and aviation companies in the US and Canada before shifting its focus mainly to US and European energy firms in early 2013.
The campaign against the European and American energy sector quickly expanded in scope. The group initially began sending malware in phishing emails to personnel in target firms. Later, the group added watering hole attacks to its offensive, compromising websites likely to be visited by those working in energy in order to redirect them to websites hosting an exploit kit. The exploit kit in turn delivered malware to the victim’s computer. The third phase of the campaign was the Trojanizing of legitimate software bundles belonging to three different ICS equipment manufacturers.