The United States Industrial Control Systems Computer Emergency Response Team (ICS-CERT) has urged critical infrastructure firms to check their networks following the news about the Dragonfly attacks.
Capable of Stuxnet-level damage, Dragonfly or Energetic Bear could theoretically cause physical damage to industrial control systems (ICS) and sabotage power plants, reports v3. ICS-CERT has issued guidance which urges firms involved in critical infrastructure to “check their network logs for activity associated with this campaign”. It said: “Any organisation experiencing activity related to this report should preserve available evidence for forensic analysis and future law enforcement purposes.”
The Dragonfly campaign was originally uncovered by researchers at security firm CrowdStrike in January. The original attacks were espionage focused and targeted businesses operating in the US, Japan, Poland, Greece, Romania, Spain, France, Turkey, China and Germany.
The first attacks used a combination of two malware tools. The first Oldrea malware tool sets up a back door onto the victim machine that lets hackers extract data and install more malware.
The second Karagany is an off-the-shelf malware, the source code of which was leaked in 2010. Karagany lets the attackers upload stolen data, download new files, and run executable files on an infected computer.