The infamous hacking collective known as Dragonfly has resurfaced, renewing its focus on targeting energy sector companies in the United States and Europe. Having been active since at least 2011, this well-resourced group is notorious for its sophisticated cyber-espionage campaigns aimed at critical infrastructure, particularly within the energy domain.
Research conducted by cybersecurity firm Symantec has unveiled a new wave of activity from Dragonfly, termed Dragonfly 2.0. This latest iteration demonstrates the group’s intentions to not only gather intelligence but also potentially engage in sabotage of key operational systems. According to Symantec, the group has already secured unprecedented access to systems of Western energy firms, raising significant alarm regarding operational security.
The report outlines that Dragonfly 2.0 has been active since late 2015, utilizing tactics and tools reminiscent of its prior campaigns. The primary objectives remain consistent: infiltrate targeted networks, gather sensitive information, and position itself to initiate disruptive actions if deemed necessary. The group’s current focus appears to predominantly affect critical energy sectors, particularly in the U.S., Turkey, and Switzerland.
To gain initial access, the attackers employ a range of common techniques, such as phishing emails laden with sector-specific attachments, watering hole attacks, and Trojanized software. Notably, the group utilizes a toolkit known as Phishery, available on platforms like GitHub, to launch email-based attacks designed to harvest credentials through template injection. Malware strategies involve various remote access Trojans masquerading as seemingly innocuous Flash updates, allowing uninterrupted access to victimized machines.
Interestingly, while Dragonfly 2.0 displays advanced capabilities, Symantec’s research found no evidence of zero-day vulnerabilities being exploited. Instead, the group favors publicly available administrative tools—such as PowerShell and PsExec—to execute attacks. This strategy complicates attribution efforts, as such tools can be found within legitimate operations.
The implications of such campaigns are profound. Attacks on energy grids have a troubling history, as demonstrated by incidents in Ukraine that resulted in significant blackouts in 2015 and 2016. In another concerning development, U.S. nuclear facilities, including the Wolf Creek Nuclear Operating Corporation, faced targeting from a prominent Russian group earlier this year. Fortunately, there is no evidence that operational systems were compromised.
As organizations continue to face evolving threats, business owners must remain vigilant. The tactics employed by Dragonfly 2.0 illustrate critical successor strategies within the MITRE ATT&CK framework—encompassing initial access via social engineering, persistence through credential harvesting, and privilege escalation via malware deployment. Staying informed and proactive in cybersecurity measures is essential for safeguarding vital infrastructure against such sophisticated threats.