New Research Reveals Dragonfly Malware Likely Targets Pharmaceutical Companies

According to a new report, the target of the Dragonfly malware campaign was not the energy industry, as was first reported. The implication is that now discrete manufacturers, not just the critical infrastructure industries, need to factor advanced attacks into their cybersecurity risk assessments.

New report on Dragonfly malware
New report on Dragonfly malware

If you think “cybersecurity threats” only mean terrorist attacks on electrical grids or chemical plants, or malicious downtime of “important” operations, think again.

The Stuxnet cybersecurity breach in 2010 may have been the first time users of industrial control systems (ICS) became aware of software hackers and malware affecting their operations. But the fact that Stuxnet was associated with Iran and nuclear enrichment facilities also let many assume that such attacks are only aimed at a country’s energy infrastructure or other potential terrorist targets. Industrial users of ordinary ICS and SCADA systems—small continuous process facilities, or makers of discrete items and batch-processed food, beverages or drugs—didn’t have to worry so much because rather than be too large to fail, they were too small to notice. Four years later, that is definitely not the case.

New research commissioned by signal transmission product vendor Belden and released September 15 shows that the target of the June 23 “Dragonfly” malware campaign was the pharmaceutical industry, not the energy industry as was first reported. The implication is that now discrete manufacturers, not just the critical infrastructure industries, need to factor advanced attacks into their cybersecurity risk assessments.

“The potential damage could include the theft of proprietary recipes and production batch sequence steps, as well as network and device information that indicate manufacturing plant volumes and capabilities,” said independent ICS security expert Joel Langill of RedHat Cyber.

On June 23, 2014, Finnish security firm F-Secure published a blog article on a new family of malware used in targeted attacks against industry sectors. This was shortly followed (on June 30) by cybersecurity vendor Symantec publishing a whitepaper and blog article disclosing “the Dragonfly threat.” Belden commissioned Langill to research Dragonfly in more depth, and look at how Belden’s products can contribute to defense-in-depth cybersecurity protection.

According to the Belden report, statements derived from the original Symantec report included “conclusions [that] could not be more incorrect. Both the number of infected ICS claimed (hundreds) and the industry where they reportedly were operating (the energy sector) are incorrect,” said Langhill.
Eric Byres, CTO of Tofino Security, a Belden Brand, and a world authority on industrial cybersecurity made these remarks about Dragonfly: “The interesting thing about Dragonfly is that it targeted ICS information not for the purpose of causing downtime, but for the purpose of intellectual property theft, likely for the purpose of counterfeiting.”

“Security researchers and hackers have identified numerous vulnerabilities in the products used in industrial operations,” Byers continues. “We know now that Stuxnet and Flame [another identified piece of malware] remained hidden in their target networks for years. By the time worms like these do damage or steal trade secrets, it is too late to defend against them.”

The new report, entitled “Defending Against the Dragonfly Cyber Security Attacks, Part A – Identifying the Targets” is the first of four from Belden, and investigates the victims, methods and consequences of the Dragonfly cyberattack campaign. The series will close with an analysis of what defenses have proven to be either effective or ineffective against Advance Persistent Threats (APTs), including Dragonfly. Many of the suggested actions are distinct from current common security practices, says Byres.

Three main factors led Langill to believe that the target of Dragonfly is the intellectual property of pharmaceutical organizations:

  • “Out of thousands of possible ICS suppliers, the three companies targeted for trojanized software were not primary suppliers to energy facilities. Instead, all three offered products and services most commonly used by the pharmaceutical industry.”
  • “The Dragonfly attack is very similar in nature to another campaign called Epic Turla, and is likely managed by the same team. Epic Turla has been shown to have targeted the intellectual property of pharmaceutical companies.”
  • “The Dragonfly malware contained an Industrial Protocol Scanner module that searched for devices on TCP ports 44818 (Omron, Rockwell Automation), 102 (Siemens) and 502 (Schneider Electric). These protocols and products have a higher installed base in packaging and manufacturing applications typically found in consumer packaged goods industries, such as pharmaceutical rather than the energy industry.”

Download a full copy of the report from http://awgo.to/416.

Companies in this article
More in Networks