Dragonfly: Pharma Industry Targeted

Monday, September 15, 2014 @ 11:09 AM gHale

By Gregory Hale
The Havex or Dragonfly malware targeted the pharmaceutical sector, not the energy sector as previously believed, new research found.

“I believe that the pharma companies are under an active attack,” said Joel Langill, of RedHat Cyber, an independent ICS security researcher, who conducted the research on behalf of Belden Inc. “This conclusion was reached based on the information disclosed in reference to the Epic Turla campaign that is active at this time against the pharma industry. There are many similarities between Dragonfly and Epic Turla that allowed me to reach this conclusion.”

Mitigating Havex, an ICS Threat
Havex an ICS Game Changing Threat
Havex Varient Brings Attack via OPC
Malware Analysis from ICS-CERT
Energy Sector Alert: Dragonfly Attack

Until now, known advanced cyberattacks against industry focused on the critical energy and chemical sectors, but with this finding all manufacturing management teams should update their risk assessments and ensure their cyber security defenses can withstand what are clearly highly coordinated attacks by teams of professional hackers.

Langill’s report, entitled “Defending Against the Dragonfly Cyber Security Attacks, Part A – Identifying the Targets” is the first in a series of four that investigates the victims, methods and consequences of the Dragonfly cyber attack campaign.

The series will close with an analysis of what defenses have proven to be either effective or ineffective against Advance Persistent Threats (APTs), including Dragonfly. Many of the suggested actions are distinct from current common security practices.

Over the past few years, industrial infrastructure has been a key target for hackers and government-sponsored warfare, attracting some of the most sophisticated cyber attacks on record, including Stuxnet, Flame and Duqu. Dragonfly is significant because it is first one of the advanced attacks since Stuxnet to have payloads that target specific industrial control system (ICS) components.

The objective of this report was to understand the Dragonfly campaign in order to provide the best possible advice to customers for defending against advanced malware threats.

Langill’s review of Dragonfly focused on executing the malicious code on systems that reflect real world ICS configurations and observing the malware’s impact.

Three main factors led him to believe the target is the intellectual property of pharmaceutical organizations:
• Out of thousands of possible ICS suppliers, the three companies targeted for Trojanized software were not primary suppliers to “energy” facilities. Instead, all three offered products and services most commonly used by the pharmaceutical industry.
• The Dragonfly attack is very similar in nature to another campaign called Epic Turla and likely managed by the same team. Epic Turla has targeted the intellectual property of pharmaceutical companies.
• The Dragonfly malware contained an Industrial Protocol Scanner module that searched for devices on TCP ports 44818 (Omron, Rockwell Automation), 102 (Siemens) and 502 (Schneider Electric). These protocols and products have a higher installed base in packaging and manufacturing applications typically found in consumer packaged goods industries, such as pharmaceutical rather than the energy industry.

“My research, coupled with my knowledge of the pharmaceutical industry, led me to conclude that it was the target of Dragonfly,” Langill said. “The potential damage could include the theft of proprietary recipes and production batch sequence steps, as well as network and device information that indicate manufacturing plant volumes and capabilities.”

“The interesting thing about Dragonfly is that it targeted ICS information not for the purpose of causing downtime, but for the purpose of intellectual property theft, likely for the purpose of counterfeiting,” said Eric Byres, CTO of Tofino Security, a Belden Brand. “CIOs and other executives need to know about this attack and be assured that there are techniques and products available to defend against it.”

“Security researchers and hackers have identified numerous vulnerabilities in the products used in industrial operations. Post Dragonfly, it is important that manufacturing companies secure core ICS through up-to-date best practice policies and industrially focused security technologies,” said Byres. “We know now that Stuxnet and Flame remained hidden in their target networks for years – by the time worms like these do damage or steal trade secrets, it is too late to defend against them.”

Click here to register to download the research.

Leave a Reply

You must be logged in to post a comment.