The United States Department of Homeland Security (DHS) has released an alert regarding a malicious ICS campaign named Dragonfly.
The DHS is referring to Dragonfly as an “advanced persistent threat group” which has “targeted government entities and the energy, water, aviation, nuclear and critical manufacturing sectors.” The focus of the attacks has been industrial control systems, with the ultimate objective being to compromise organisational networks.
How the attacks are carried out
The Dragonfly ICS campaign has two types of victims: staging and the actual targets of the attack.
Dragonfly is infiltrating trusted third party organisations which have lower levels of network security, before using them as a staging platform to infiltrate their intended targets. The aim of this appears to be compromising organisational networks.
The Dragonfly ICS campaign is using several different attacks to attain login details. These include the following:
- Spear phishing attacks utilising Microsoft Office to fetch documents from remote servers using Server Message Block (SMB) protocol.
- Spear phishing attacks which lure targets to a website with the aim of them downloading a malicious file.
- Phishing attacks involving the use of fake login pages or Microsoft Word files, as well as watering hole attacks.
The details gained from these attacks are then used to access the targeted networks where multi-factor authentication is not used to set up persistent access.
How to mitigate risk
Experts such as Paul Edon, Director of International Customer Services at Tripwire, are saying this is another piece of compelling evidence for organisations to re-evaluate the security of their industrial control systems, since they are no longer protected by the ‘airgap’ as they once were.
Attacks like these are not new and are unlikely to desist in the foreseeable future. Organisations need to protect themselves against all varieties of cyber attacks in order to avoid potential catastrophe and should take measures to ensure their security.