One month on from the announcement of Operation Dragonfly; since that period we have been bombarded with stories about Russian hackers making away with 1.2bn usernames and passwords to yet another company disclosing a major data breach. Whilst focus of the campaign may have migrated beyond the visible timeline, the potential implications of Dragonfly means that it must not be shelved as just another cyber headline.
In the blog[i] myself and Jim Walter wrote at the time of the announcement, we referenced the enumeration of OPC classic, and the targeted nature of the spear phishing/water hole attacks as clear evidence of industrial protocol knowledge by the attackers. Although the attack was broadly reported as a very public demonstration that the attack highlights the focus by criminal groups on the energy sector, and indeed its inherent vulnerabilities; Questions regarding the true motive remain unanswered.
In an assessment[ii] co-authored by technical editor of ‘Applied Cyber Security and the Smart Grid’; Joel Langill – “The fact that Dragonfly is gathering information about OPC servers and VPN connections to PLCs might indicate that the final objective is to gain access to the PLCs themselves, which would enable the attackers to change, damage or disrupt the critical processes run by the targeted organizations. The fact that Dragonfly is gathering information about OPC servers and VPN connections to PLCs might indicate that the final objective is to gain access to the PLCs themselves, which would enable the attackers to change, damage or disrupt the critical processes run by the targeted organizations.”
Beyond the speculation regarding potential follow-up actions, this particular episode does highlight the need to consider confidentiality as a more significant concern in risk assessments for OT (Operational Technology) environments. Historically cyber espionage campaigns against energy environments invariably targeted the IT infrastructure (e.g. NightDragon), and controls for the OT environment focused on the risk of disruption (availability) or unauthorised modification (integrity). Subsequently technologies that focused on data exfiltration such as Data Loss Prevention (DLP) were reserved for the IT infrastructure. Operation Dragonfly demonstrates the importance of preserving the confidentiality of data within the OT environment; such attacks may not be as immediately noticeable to the bottom line (such as a major outage) but can potentially become the precursor a debilitating attack on our critical infrastructure.
All of this may sound like another ‘what if’ scenario but the threat has already been realised. Of significant concern to not only affected organizations including those vendors that have been compromised will be the true motive of the attack.
What questions about Havex do you have?