June 30, 2014, 8:22 PM — Eastern European-based attackers gained access to the networks of energy providers by tampering with software updates for industrial control systems, gaining a foothold that could be used for sabotage, Symantec said Monday.
The Dragonfly group, which appears to operate from Eastern Europe, compromised three ICS vendors, adding a piece of remote access malware to legitimate software updates, the security vendor wrote in a blog post Monday.
"Given the size of some of its targets, the group found a 'soft underbelly' by compromising their suppliers, which are invariably smaller, less protected companies," Symantec wrote.
The companies unwittingly installed the malware by downloading the software updates from the ICS vendors. Symantec did not identify the vendors, but said it had notified the victims and various computer emergency response centers.
Those affected were energy grid operators, electricity generators and petroleum pipeline operators, with the majority of them in the U.S., Spain, France, Italy, Germany, Turkey and Poland, Symantec wrote.
On Friday, an agency that is part of the U.S. Department of Homeland Security (DHS) issued an advisory on the attacks based on information it received from Symantec and the Finnish security company F-Secure.
The software updates from the three ICS vendors contained Havex, a remote access Trojan that can upload other malware to systems, according to the advisory, published by DHS's Industrial Control Systems Emergency Response Team (ICS-CERT).
Havex, which is also known as Backdoor.Oldrea or Energetic Bear, also gathers a variety of network system information and uploads it to command-and-control servers controlled by the attackers.
Symantec identified a product that provided VPN (virtual-private-network) access to PLC (programmable-logic-controller) devices from one ICS vendor that had been modified by Dragonfly.
The group also modified a driver contained within a software package from a European manufacturer of PLC devices. The modified software was available for download for at least six weeks between June and July 2013, Symantec wrote.
A third European company that develops software for managing wind turbines and bio-gas plants also hosted compromised software for 10 days in April 2014, the vendor wrote.
The Dragonfly group has been around since at least 2011. At that time, it targeted defense and aviation companies in the U.S. and Canada before shifting its attacks to energy companies in the same countries in early 2013, Symantec wrote.