One of our expert ICS Security Engineers, Brandon Workentin, discusses his thoughts on the released information about Dragonfly 2.0, the latest threat to the energy sector.
Symantec released a report on what they’re calling Dragonfly 2.0, targeting the electric industry in the United States, Turkey, and Switzerland. The purpose of this blog post isn’t to review what they said or to give an overview of the Dragonfly 2.0 campaign. Instead, I’m going to look at a couple of details from the reporting and examine what the details tell us, and what they are leaving out but should really include. The headline-grabbing part of the report was that attackers had access to operational controls of the victim organizations, and could have caused power outages if they had desired to.
It’s interesting to me that Wired (the first article I saw about this on Twitter) described it like this:
“And in the most successful of those cases, including several instances in the US and one in Turkey, the attackers penetrated deep enough to screenshot the actual control panels for their targets’ grid operations“
But in the Symantec report, it was described like this:
“The Dragonfly 2.0 campaigns show how the attackers may be entering into a new phase, with recent campaigns potentially providing them with access to operational systems, access that could be used for more disruptive purposes in future. The most concerning evidence of this is in their use of screen captures. In one particular instance, the attackers used a clear format for naming the screen capture files, [machine description and location].[organization name]. The string “cntrl” (control) is used in many of the machine descriptions, possibly indicating that these machines have access to operational systems.“
In my interpretation, Symantec is not saying that the attackers definitively had screenshots of “operational systems” (what I would guess means HMIs, and described as “control panels” in the Wired article). Their evidence of potential attacker control is in the naming conventions of files. While Symantec’s conclusion is probably still true (although it’s hard to know for sure due to lack of details in their report), it is not as strong as it would be if their evidence included screen captures.
If Symantec had copies of the screenshots, they should have said so. That they didn’t say that makes me question whether they do or not.
One possible reason for this difference is that the victim organizations did not have full forensics or network packet captures available. I’m not a forensics guy, but I think it’s possible that an organization may not have been able to recover the screenshots if the attacker successfully covered their tracks. From a network perspective, this lack of recovering the screenshots implies that there was not full packet captures available, or possibly there were but the time from compromise to discovery was long enough that they were outside the retention window.
One takeaway from this is that the lack of sharing details leaves things open to interpretation and ambiguity. Symantec describes the naming convention of the files as “[machine description and location].[organization name]”. I don’t see why they couldn’t have included obfuscated examples of these, for example something like “cntrl_eng_workstation_substationX.[organization name]”. Having a few examples of those (or even a lot of them) would allow others to judge and interpret the evidence, and either support Symantec’s conclusions or provide an alternative explanation for the evidence.
Another thing to note is that Symantec described “many” of the screenshots as having the “cntrl” identifier, while Wired described it as “several instances in the US and one in Turkey.” Again, there is ambiguity caused by the lack of details, because “many” and “several” are both words which are open to a wide range of interpretations.
Perhaps with future instances, cybersecurity companies could focus on sharing the total information at hand, regardless of whether it is a perfect fit for the message they, specifically, are trying to convey to the public. Sharing this whole information would enable and encourage deeper discussion.
The example of sharing more than just a generic [machine description and location] label is just one of those things that could easily be shared in a transparent manner. Information sharing is being pushed very aggressively by government and industry, with even Symantec involved in those efforts (see their membership in the Cyber Threat Alliance, for example), but it would be nice to see that lead to an increase in what companies are willing to share in reports like this, especially when they are likely to generate widespread media attention.