Industrial Control Vendors Identified In Dragonfly Attack

Two of the three vendors who were victims of a targeted malware attack dubbed ‘Dragonfly’ by the security firm Symantec have been identified by industrial control system security experts.

Two industrial control software firms compromised in a targeted attack have been named.
Two industrial control software firms compromised in a targeted attack have been named.

Writing on Tuesday, Dale Peterson of the firm Digitalbond identified the vendors as MB Connect Line, a German maker of industrial routers and remote access appliances and eWon, a Belgian firm that makes virtual private network (VPN) software that is used to access industrial control devices like programmable logic controllers.

Peterson has also identified the third vendor, identified by F-Secure as a Swiss company, but told The Security Ledger that he cannot share the name of that firm.

The three firms, which serve customers in industry, including owners of critical infrastructure, were the subject of a warning from the Department of Homeland Security. DHS’s ICS CERT, the Industrial Control Systems Computer Emergency Response Team, said it was alerted to compromises of the vendors’ by researchers at the security firms Symantec and F-Secure.

DHS said it is analyzing malware associated with the attacks. The malicious software, dubbed “Havex” was being spread by way of so-called “watering hole” attacks that involved compromises of vendors web sites.

The malware, dubbed “Dragonfly” by Symantec and “Havex” by F-Secure is a remote access trojan horse program (or RAT) that also acts as an installer (or “downloader”) – fetching other malicious applications to perform specific tasks on compromised networks. One of those additional payloads is a Trojan Horse program dubbed Karagany (by Symantec) that has been liked to prior, targeted attacks on energy firms.

According to Symantec, the malware targeted energy grid operators, major electricity generation firms, petroleum pipeline operators, and energy industry industrial equipment providers. Most of the victims were located in the United States, Spain, France, Italy, Germany, Turkey, and Poland.

Symantec described the group behind the Dragonfly/Havex malware as “well resourced, with a range of malware tools at its disposal.”

The security firm Crowdstrike said the attacks were part of a cybercrime group it dubbed “Energetic Bear” that was focused on espionage and of Russian origin.

According to F-Secure, the individuals behind the Havex malware family have been active in the last year, but began focusing on energy firms in early 2014. Specifically, the group began implanting its Trojan horse software on software downloads available from industrial control system software vendors.

Contacted by The Security Ledger, Gérald Olivier, a Marketing Manager at eWon said the compromise of its website occurred in January, 2014. According to an incident report prepared by the company, the attackers compromised the content management system (CMS) used to manage the company’s website and uploaded a corrupted version of a setup program for an eWon product called Talk2M. Hyperlinks on the eWon page that linked to the legitimate Setup file were changed to point to the malicious file. If installed, the malware could capture the login credentials of eWon Talk2M customers.

The company says around 250 visitors to its site may have downloaded the malicious software. Since discovering the breach, it began bundling a malware aut0 removal tool with it website downloads, in addition to strengthening the security of its web site and implementing two-factor authentication for Talk2M users.

The second firm, MB Connect Line, did not respond to requests for comment from the Security Ledger.

Writing for DigitalBond, Peterson said both the named vendors were small and not generally known in the U.S.

About eWon, Peterson said that his company had “never seen this company’s products in the US. Their impact to the US energy sector would be minimal.” The impact could be bigger in Europe, but “it is clearly not one of the major vendors that would have a widespread impact,” Peterson said.

He had a similar assessment of MB Connect Line, calling the German firm “a very small company…trying to gain a foothold providing remote access solutions in distributed energy resources.The impact to the critical infrastructure of this company distributing malware along with their software would be minimal in Europe, and minuscule in the US,” he wrote.

Peterson said that industrial control system vendors are often “soft targets” for cyber criminals and state sponsored actors: with weak security around corporate web sites and a lack of security features such as signed firmware updates that would make it more difficult for an attacker to compromise a software package.

Sophisticated attackers find it more efficient to “go after one vendor than hundreds of customers.”

Peterson and Digital Bond have been encouraging customers to sever any open connections to vendors that give them “anytime” remote access to their ICS devices.

One Comment

  1. That last zinger line about severing connections from vendors is provably wrong and counter-productive. I thought downtime was a bad thing: waiting a few days to fly someone out to perform diagnosis, and then order the parts or make the correction. As opposed to remotely being able to diagnose. And no, “getting the program right the first time” or “good design” has nothing to do with diagnosing a failed or misconfigured component. Complicated systems fail in complicated ways. There is no perfect in this world: Component failure, intentional damage, changing environments, tweaks needed because of exceeding machine specifications, incorrect re-installation, untrained staff, unplugged cables, actual bugs, “forklift incidents”… all more likely than a spooky cyberattack but just as expensive.

    The MB Connect, eWon, Insys-icom, etc. devices generally, if they are set up properly to the documentation, use certificate based encryption to set up an end-to-end VPN connection. These are secure connections, not “open access”. Moreover, these companies are indeed well known, to OEMs at least. Perhaps DigitalBond needs to get with the times and understand the otherwise insurmountable challenges that machine builders are facing. Literally hours spent on the phone with a maintenance person just not seeing the otherwise obvious thing that a remote connection could point out in about 3 minutes.