July 7, 2014

Dragonfly's Attacks Against Energy Suppliers - Are You Protected?

Carl Leonard Principal Security Analyst

Dragonfly, a group of attackers making headlines recently, has been conducting a malicious campaign targeting the energy sector and industrial control systems (ICS). While the attack vectors in use are common, the group's compromise of update sites for these industries sets them apart.

The various methods of infection employed by this group included:

  • PDF attachments via email
  • The use of the Hello exploit kit, an obfuscated variant of the Lightsout exploit kit
  • Compromise and bundling of malware with ICS and energy sector update sites (a technique known as waterholing)
  • Compromises of content management systems for call home activity 

Websense® ThreatSeeker® Intelligence Cloud offered pro-active protection from this specific threat.  Exploit content was identified based on specific traits which included use of JavaScript obfuscation, attempts to identify operating systems, and code execution attempts via an Internet Explorer vulnerability (CVE-2012-4792). Additionally, call home attempts were identified based on the reputation of hosts and the use of structures attributed to such activity.

While the complexity and approach of malicious actors change, the use of exploits targeting plug-ins such as Java continue to be a tried-and-trusted method, as we stated in our 2014 Predictions.  Malware authors will continue to strike at the platforms widely adopted by businesses, as organizations struggle to balance business needs and security requirements.

Websense customers are protected against this threat with ACE, our Advanced Classification Engine, at the stages detailed below:

  • Stage 2 (Lure) – websites in the body of the lure emails are classified by ACE.
  • Stage 4 (Exploit Kit) – ACE has real-time detection for the malicious code which attempts to deliver exploit content for the Hello exploit kit.
  • Stage 5 (Payload) – ACE has detection for the malicious payloads, Trojans Havex and Karagany.
  • Stage 6 (Call Home) – Communication to the associated C&C server is detected in real-time.

Websense Security Labs will continue to monitor activity by Dragonfly.

Carl Leonard

Principal Security Analyst

Carl Leonard is a Principal Security Analyst within Forcepoint X-Labs. He is responsible for enhancing threat protection and threat monitoring technologies at Forcepoint, in collaboration with the company’s global Labs teams. Focusing on protecting companies against the latest cyberattacks that...

Read more articles by Carl Leonard

About Forcepoint

Forcepoint is the leading user and data protection cybersecurity company, entrusted to safeguard organizations while driving digital transformation and growth. Our solutions adapt in real-time to how people interact with data, providing secure access while enabling employees to create value.