New Research Reveals Dragonfly Malware Likely Targets Pharmaceutical Companies

Sept. 22, 2014
According to a new report, the target of the Dragonfly malware campaign was not the energy industry, as was first reported. The implication is that now discrete manufacturers, not just the critical infrastructure industries, need to factor advanced attacks into their cybersecurity risk assessments.

If you think “cybersecurity threats” only mean terrorist attacks on electrical grids or chemical plants, or malicious downtime of “important” operations, think again.

The Stuxnet cybersecurity breach in 2010 may have been the first time users of industrial control systems (ICS) became aware of software hackers and malware affecting their operations. But the fact that Stuxnet was associated with Iran and nuclear enrichment facilities also let many assume that such attacks are only aimed at a country’s energy infrastructure or other potential terrorist targets. Industrial users of ordinary ICS and SCADA systems—small continuous process facilities, or makers of discrete items and batch-processed food, beverages or drugs—didn’t have to worry so much because rather than be too large to fail, they were too small to notice. Four years later, that is definitely not the case.

New research commissioned by signal transmission product vendor Belden and released September 15 shows that the target of the June 23 “Dragonfly” malware campaign was the pharmaceutical industry, not the energy industry as was first reported. The implication is that now discrete manufacturers, not just the critical infrastructure industries, need to factor advanced attacks into their cybersecurity risk assessments.

“The potential damage could include the theft of proprietary recipes and production batch sequence steps, as well as network and device information that indicate manufacturing plant volumes and capabilities,” said independent ICS security expert Joel Langill of RedHat Cyber.

On June 23, 2014, Finnish security firm F-Secure published a blog article on a new family of malware used in targeted attacks against industry sectors. This was shortly followed (on June 30) by cybersecurity vendor Symantec publishing a whitepaper and blog article disclosing “the Dragonfly threat.” Belden commissioned Langill to research Dragonfly in more depth, and look at how Belden’s products can contribute to defense-in-depth cybersecurity protection.

According to the Belden report, statements derived from the original Symantec report included “conclusions [that] could not be more incorrect. Both the number of infected ICS claimed (hundreds) and the industry where they reportedly were operating (the energy sector) are incorrect,” said Langhill.
Eric Byres, CTO of Tofino Security, a Belden Brand, and a world authority on industrial cybersecurity made these remarks about Dragonfly: “The interesting thing about Dragonfly is that it targeted ICS information not for the purpose of causing downtime, but for the purpose of intellectual property theft, likely for the purpose of counterfeiting.”

“Security researchers and hackers have identified numerous vulnerabilities in the products used in industrial operations,” Byers continues. “We know now that Stuxnet and Flame [another identified piece of malware] remained hidden in their target networks for years. By the time worms like these do damage or steal trade secrets, it is too late to defend against them.”

The new report, entitled “Defending Against the Dragonfly Cyber Security Attacks, Part A – Identifying the Targets” is the first of four from Belden, and investigates the victims, methods and consequences of the Dragonfly cyberattack campaign. The series will close with an analysis of what defenses have proven to be either effective or ineffective against Advance Persistent Threats (APTs), including Dragonfly. Many of the suggested actions are distinct from current common security practices, says Byres.

Three main factors led Langill to believe that the target of Dragonfly is the intellectual property of pharmaceutical organizations:

  • “Out of thousands of possible ICS suppliers, the three companies targeted for trojanized software were not primary suppliers to energy facilities. Instead, all three offered products and services most commonly used by the pharmaceutical industry.”
  • “The Dragonfly attack is very similar in nature to another campaign called Epic Turla, and is likely managed by the same team. Epic Turla has been shown to have targeted the intellectual property of pharmaceutical companies.”
  • “The Dragonfly malware contained an Industrial Protocol Scanner module that searched for devices on TCP ports 44818 (Omron, Rockwell Automation), 102 (Siemens) and 502 (Schneider Electric). These protocols and products have a higher installed base in packaging and manufacturing applications typically found in consumer packaged goods industries, such as pharmaceutical rather than the energy industry.”

Download a full copy of the report from http://awgo.to/416.

Companies in this Article

Sponsored Recommendations

Wireless Data Acquisition System Case Studies

Wireless data acquisition systems are vital elements of connected factories, collecting data that allows operators to remotely access and visualize equipment and process information...

Strategizing for sustainable success in material handling and packaging

Download our visual factory brochure to explore how, together, we can fully optimize your industrial operations for ongoing success in material handling and packaging. As your...

A closer look at modern design considerations for food and beverage

With new and changing safety and hygiene regulations at top of mind, its easy to understand how other crucial aspects of machine design can get pushed aside. Our whitepaper explores...

Fueling the Future of Commercial EV Charging Infrastructure

Miguel Gudino, an Associate Application Engineer at RS, addresses various EV charging challenges and opportunities, ranging from charging station design strategies to the advanced...