Recent headlines (here and here) may have struck fear into those living near major energy installations due to references about the Stuxnet malware. In 2009, this particular strain of malware caused significant damage to the Nantanz nuclear facility, reportedly destroying a fifth of Iran’s nuclear centrifuges. Recent reports about Operation Dragonfly, however, appear to be focused on espionage (at least for now), and the scope of the attack appears to be considerably broader than that of Stuxnet.
The various elements associated with Operation Dragonfly draw comparison with Operation Shady RAT; in which at least the first phase targeted specific individuals via email. Beyond the specifics of the operation, however, Operation Dragonfly raises very significant concerns regarding the safety of systems that comprise our critical infrastructure, and in particular regarding the ever-growing supply chain.
This threat was covered in detail in the recently published book “Applied Cyber Security and the Smart Grid: Implementing Security Controls into the Modern Power Infrastructure,” coauthored by Raj Samani and Eric Knapp, and edited by Joel Langill. The espionage from Dragonfly could lead to another attack. In the book the authors write: “the SCADA and automation systems within the grid also provide a blueprint to the inner workings of the grid operations. This is valuable intellectual property that could be used for malicious purposes ranging from the influence of energy trading to the development of a targeted, weaponized attack against the grid infrastructure or against the grid operator.”
One of the primary tools leveraged in Operation Dragonfly is Havex. The Havex remote access tool (RAT) can be traced back to (at least) mid-2012 and is not necessarily exclusive to this attack or campaign or actor. Havex is closely related to the SYSMain RAT, and may even be a derivative. We have also observed them used in conjunction. The Trojan is distributed via spear phishing, watering-hole attacks, and by inclusion in exploit kits (such as LightsOut). This family takes advantage of OLE for Process Control (OPC) servers.
The method by which the Havex RAT targeted industrial control systems owners was clever. In addition to spear phishing, the control system vendors’ websites were used as watering holes, ensuring that the delivery of the RAT was highly focused. The next stage, the enumeration of OPC servers, is also clever and very concerning. The malware focuses enumeration on OPC Classic, which lacks the security features of newer OPC variants, and indicates that the attacker is knowledgeable about industrial security—a niche that, to some, benefited from “security through obscurity.” The biggest concern, therefore, is that once again we’re seeing malware targeting an industrial protocol.
In “Applied Cyber Security” the authors wrote, “Industrial protocols in and of themselves represent a challenge to cyber security. … Because most of these protocols provide command and control functionality to the system, an interruption could result in the failure of [a variety of critical systems].
“Industrial protocols in and of themselves represent a challenge to cyber security. … Because most of these protocols provide command and control functionality to the system, an interruption could result in the failure of substation automation, dynamic load management, fault isolation, and even protection systems.”
By specifically targeting OPC Classic, the attacker is likely to discover more vulnerable legacy systems. OPC is extremely common, and can interface with a variety of key systems within almost every industrial environment, from almost every sector. From a network design perspective, OPC uses a wide range of ports; unless OPC is tunneled, firewalls allowing OPC are as open as Swiss cheese. Although there’s still a lot to learn about Havex, this event should inspire asset owners to harden OPC servers, and to assess their networks with this type of attack in mind. Inspection and enforcement of OPC using application-layer firewalls is a good start. Without an industry-wide effort to stem the inherent vulnerabilities in OPC, Havex could prove itself to be another devastating “industrial” RAT—alongside DisktTrack (a.k.a. Shamoon), Duqu, Stuxnet, and Gauss—capable of remote command of control systems. That is something that no one wants to see happen.
For more information, please refer to “Applied Cyber Security and the Smart Grid.”