Sign In with your
Trend Micro Account
Need Help?
Need More Help?

Create a technical support case if you need further support.

Dragonfly 2.0 Campaign - Hackers gain direct access to US Power GRID controls

    • Updated:
    • 5 Oct 2017
    • Product/Version:
    • Deep Security 10.1
    • InterScan Messaging Security Virtual Appliance 8.2
    • InterScan Messaging Security Virtual Appliance 8.5
    • InterScan Messaging Security Virtual Appliance 9.0
    • InterScan Messaging Security Virtual Appliance 9.1
    • InterScan Web Security Virtual Appliance 6.5
    • OfficeScan 11.0
    • OfficeScan XG.All
    • ScanMail for IBM Domino 5.0 AIX
    • Worry-Free Business Security Standard/Advanced 9.5
    • Platform:
    • N/A N/A
Summary

It has been reported that energy sectors in Europe and North America are being targeted by a new wave of a campaign called “Dragonfly 2.0” which could allow attackers to gain access to power grid operations and cause severe disruptions to power systems.

Details
Public

Arrival and Installation

Security researchers have found evidence indicating a variety of infection vectors are involved in an effort to infiltrate and gain access into a network - including Spear Phishing Emails, Watering Hole attacks, and Trojanized software.

In the case of Spear-Phishing, Phishing emails were sent to selected employees of the target companies which contained malicious content or attachments.

The attackers also employed a Watering Hole type of attack, indicating certain sites were hacked in order to compromise legitimate applications related to software used for daily power grid operation. Subsequently, trojanized applications were then downloaded by the targeted companies, which then compromised their systems.

Product Solutions

Trend Micro products have the ability to block all known related threats with this campaign. Below are the available Trend Micro product solutions to help protect against the Dragonfly 2.0 Campaign:

The following hashes related to the trojanized software and backdoors are already detected using Trend Micro’s Smart Scan and Conventional patterns (13.645.00) and by Spyware Pattern 1.873.00.

Pattern DetectionSHA1
BKDR_GOODOOR.ASUf765c448b6a1eb75862ab362897c35fbafcb2a43
TROJ_LISTRIX.Acd9519127efcc9a65068befe17ae038c94085358
TROJ_KARAGANY.ULT95db15c67b48945237af7de61f3dbab92c99edd1
BKDR_DORSHEL.Ac7eae6cd08d0601223b641745f078dffce285066
TROJ_HERIPLOR.Ad6ef3e457819425bf9524e8a7070f3fcf21c3ad5
TROJ_PHISHERLY.Aeff5e2a3ac471a1b5ecdf51a72e003a82c350506

 

Spyware Pattern DetectionSHA1
HKTL_CREDRIX.A4f2faef3d65099c19d617df73af5119dd719240c

Trend Micro’s high-fidelity machine learning solution is a powerful predictive solution that helps protect an environment from unidentified threats and zero-day attacks. It performs a behavioral analysis on unknown or low-prevalence processes to determine if an emerging or unknown threat is attempting to infect your network. Above hashes related to this campaign are detected as the following:

TROJ.Win32.TRX.XXPE002FF018

Trend Micro’s Web Reputation Services evaluates the potential security risk of all requested URLs at the time of each HTTP request. Depending on the rating returned by the database and the security level configured, web reputation either blocks or approves the request.

The following C&C servers are already identified and marked as dangerous by Trend Micro’s Web Reputation Services:

  • hxxp://103[.]41[.]177[.]69/A56WY
  • hxxp://37[.]1[.]202[.]26/getimage/622622.jpg
  • hxxp://184[.]154[.]150[.]66

Trend Micro Deep Discovery Inspector is helpful in identifying malicious traffic and impacted machines on the network, and it has the following detection rules for detecting phone home behavior from malware used in this campaign:

  • Rule 2464 - GOODOR - HTTP (Request)
  • Rule 2492 - KARAGANY - HTTP (Request)

Recommendations for IT Admins

  • Review logs and consoles from Trend Micro products to check if any detections have been registered, and perform full scanning at the endpoints which are suspected to have had communications with C&C servers.
  • Trend Micro gateway web inspection and mail protection products such as InterScan Web Security Virtual Appliance (IWSVA) and InterScan Messaging Security Virtual Appliance (IMSVA) can help check for web reputation and email reputation of the embedded links and block dangerous requests.
  • Educating employees about dangers and potential risks related to spear phishing emails can help reduce risk of malware infections.
  • Setting up strong passwords, encouraging users to avoid reusing the same passwords, or employing two-factor authentication to offer an additional layer of security for critical systems are recommended.
  • Encrypting vital and/or sensitive data in advance and send files via secure channel can also help reduce the risk of potential data leaks from within an enterprise.

For support assistance, please contact Trend Micro Technical Support.

Premium
Internal
Rating:
Category:
Remove a Malware / Virus
Solution Id:
1118487
Feedback
Did this article help you?

Thank you for your feedback!

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.

If you need additional help, you may try to contact the support team. Contact Support


To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.