How Does Dragonfly Affect SCADA Systems?

Dragonfly is an APT (Advanced Persistent Threat) that has infected more than 2,470 victims from different sectors by carrying out in-depth attacks.

Initially, Dragonfly affected the facilities of the electric sector, but it has recently been discovered how the pharmaceutical, food and beverage, and water sectors are also targeted by this malware.

To carry out its objectives, which include compromising equipment, obtaining passwords and information, degrading system performance, accessing through back doors, facilitating unauthorized writing on equipment associated with IT and OT environments, or carrying out denial-of-service attacks, it used three RATs (Remote Access Toolkits):

• HAVEX (also called Backdoor.Oldrea or Energetic Bear RAT)
• Karagany
• Sysmain

In any of the three cases, the objectives of the RATs were to remain on the target (infected PC), usually through a Trojan, and facilitate communication with the C2 (Command&Control) to update and execute additional modules (payloads).

Dragonfly used three attack vectors:

• Spear-phishing email actions
• Watering hole attacks (based on clickjacking)
• Infection through Trojans downloaded from ICS vendor websites

Regarding eMail spear-fishing, the attack occurred by sending emails to managers of 7 companies in the electricity sector, in which an Adobe XML Data Package (XDP) file was attached. The subject of the email was described as: “The account” and/or “Settlement of delivery problema”. The XDP file used by Dragonfly took advantage of the CVE-2011-0611 vulnerability of PDF/SWF, allowing the PE-DLL library of Havex to be decrypted, installed, and executed.

The Watering hole attacks occurred through clickjacking. Different iFrames hidden in trusted web spaces redirected victims to other malicious sites. The trusted web spaces were sites based on content managers such as WordPress, Drupal, or Joomla. The malicious spaces contained malicious JAVA and HTML code that allowed exploiting the vulnerabilities CVE-2012-1723, CVE-2013-2465 of JAVA and CVE-2012-4792 and CVE-2013-1347 of Internet Explorer. This facilitated the installation of HAVEX on the PCs of visitors to these pages.

Finally, the web pages of the companies Mesa Imaging (supplier of cameras used for guided vision of vehicles in industrial environments, eWon and MB Connect (suppliers of solutions for remote access and remote maintenance of industrial environments) were infected, so that users downloaded software in principle not malicious (mainly drivers), which contained different types of Trojans.

If you want to know more, we recommend that you attend our webinar.