Symantec has discovered a new hacking campaign targeting critical infrastructure by a group known as Dragonfly. The group has been active since 2014 and has been collecting information about targets and systems. Moreno Carullo, Co-Founder & Chief Technical Officer at Nozomi Networks commented below.
Moreno Carullo, Co-Founder & Chief Technical Officer at Nozomi Networks:
“Deviating from the 2014 wave of DragonFly threats, which targeted pharmaceutical firms, DragonFly 2.0 appears to have been weaponized to specifically target industrial control systems (ICS) field devices, and then feeds that information back to the command and control server which will be monitored by the attackers. Rather than installing an infection immediately, this latest iteration of DragonFly bides its time, waiting eleven days before automatically installing a ‘backdoor’. Using this new entrance, the attacker can then install or download applications to infected computers, particularly targeting Windows XP with known vulnerabilities, and even circumventing permission restrictions on user accounts.”
“Our research supports that this version looks to explore ICS networks in depth. This knowledge would give attackers access to operational systems which could potentially be used for disruptive purposes. Organizations in a range of industries that are concerned about DragonFly 2.0 affecting their critical operational systems should apply real-time ICS monitoring and detection that can identify the presence of DragonFly in their operations and take steps to block or remediate it.”