Beware the Dragonfly

The pharma industry is being targeted by a cyber-espionage campaign known as Dragonfly, which uses a variety of ‘weapons,’ including spam emails, web watering holes (that infect websites with malware) and Trojan malware that allows unauthorized system access and information disclosure. Most organizations are aware of the dangers of malware, but Dragonfly is unusual as it specifically targets manufacturing systems. We spoke to Joel Langill, a security expert at RedHat Cyber, and Eric Byres, chief technology officer of Belden’s Tofino Security, to find out more.

Are we sure Dragonfly is targeting pharma?

The actual list of named victims is contained in “restricted” documents that cannot be shared. However, security provider Kaspersky Labs (Russia) offered descriptive information of the victims at various stages of the attack. This information, along with personal knowledge of the operation of pharmaceutical and life science facilities, led to the conclusion that the attack was not likely targeting the energy sector, as previously assumed. At this time, the campaign appears to be limited to reconnaissance or information theft, but the attackers possess the capability for more destructive acts, including system sabotage or disruption to operations.

How does Dragonfly work?

The malware used in Dragonfly targets common services that run on industrial control systems found within the manufacturing networks of an organization. It “scans” a network for potential targets, and then probes them for specific communication services. The attackers placed the malware in legitimate software that would then be used by suppliers common in pharma and life sciences, allowing the malware to be introduced into the final organization via the “trusted supplier” that was carrying the malware.

Is it unusual for the pharma industry to be targeted?

No. The pharma industry has been a potential target for years. According to security analysts, pharma companies have become more vulnerable to cyber-attacks over the last year than even the retail industry (and Target and EBay recently suffered high-profile data breaches). The pharma industry’s focus on federal regulations, like 21 CFR Part 11, with the absence of any cyber requirements, makes them easy targets. This technical weakness is amplified by a socio-economic motivation for countries to obtain intellectual property or other information that would allow them to establish local manufacturing capabilities.
Kaspersky Labs released information of an ongoing attack against the pharma industry they called “Epic Turla” that is believed to have begun in late 2013. The overlap of the Dragonfly and Epic Turla campaigns led us to believe that both attacks may be coordinated, and that Dragonfly was actually used to obtain information about the industrial control systems that was not previously available from Epic Turla.

Any recommendations?

Dragonfly shows that cyber-attacks are becoming more sophisticated, and that the tools used are beginning to focus on critical systems within manufacturing operations. Recommendations to help defend against Dragonfly and similar attacks are discussed in more detail in Belden’s white paper series ‘Defending Against the Dragonfly Cyber Security Attacks’ (1).