Core router compromised in DragonFly 2.0 attacks on critical infrastructure

News by Robert Abel

Cylance researchers say a core router was compromised in cyber-attacks against energy, nuclear, commercial facilities, water, aviation, and critical manufacturing sectors that the US has accused Russia of carrying out.

Cylance researchers said the discovery's significance far outweighs its size, given that core router compromises are considerably harder to detect, analyse, patch, and remediate than compromises of PCs, according to a 16 March  blog post.

On 15 March the US Department of Homeland Security (DHS) and Federal Bureau of Investigation (FBI) took the unusual step of issuing an alert naming the Russian government for targeting US critical infrastructure with cyber-attacks.

The US agencies  unveiled a "multi-stage intrusion campaign by Russian government cyber-actors who targeted small commercial facilities' networks where they staged malware, conducted spear phishing, and gained remote access into energy sector networks,” the alert said. Once they obtained access, “the Russian government cyber- actors conducted network reconnaissance, moved laterally, and collected information pertaining to Industrial Control Systems (ICS)." 

This was the first time the US government has publicly attributed these sort of attacks to the Russians.

Cylance researchers said the targeting of this infrastructure is a serious and worrisome discovery because once exploited, vulnerabilities in core infrastructure such as routers are not easily closed or remediated.

Although the compromising of routing infrastructure for collection or command and control purposes is not new, researchers said detection of it is relatively rare because router compromise is very likely to implicate the router's firmware and there aren't as many tools available to the forensic investigator to investigate them.

The threat actors behind the attacks, also known as DragonFly, Energetic Bear, Crouching Yeti, DYMALLOY, and Group 24, were initially exposed in 2013 and 2014 but went dark for nearly a year after its threat actor's operations 

In 2015, the group resurfaced in a series of attacks targeting nuclear and energy firms in other countries, possibly including Ireland and Turkey, before setting their sights on the U.S., researchers said.

“We observed a phishing operation which targeted energy sector organisations in the UK,” researchers said in the post. “The attacks began using two phishing documents in a manner similar to that in incidents on which previous reports have focused – all of which relied on the Redirect to SMB feature of Windows.”

While the end goals of the campaign remain unclear, researchers said their very existence across an array of power companies in several countries should be of great concern to governments, the companies themselves, and all those who rely upon their critical services.


Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews