Western energy companies under ‘state-backed’ sabotage threat from Dragonfly, security firms warn

Critical national infrastructure firms have been advised by security experts Symantec to check their networks after the discovery of a new attack, codenamed Dragonfly. Also known as Energetic Bear, Dragonfly is said to be capable of doing damage to utilities on the same scale as Stuxnet.

A continuing cyberespionage campaign against various targets, mainly in the energy sector, is reported to have given attackers the ability to mount sabotage operations against companies, Jeremy Cowan reports. The attackers, known to Symantec as Dragonfly, have already compromised a number of strategically important organisations worldwide for industrial espionage. If they continue to use the sabotage capabilities open to them, says Symantec, they could damage or disrupt energy supplies in affected countries.

Among Dragonfly’s targets are energy grid operators, major electricity generating firms, petroleum pipeline operators, and energy industry equipment providers. Most of the enterprises falling victim to these attacks are in the United States, Spain, France, Italy, Germany, Turkey, and Poland.

Dragonfly targets. Source: Symantec
Dragonfly targets. Source: Symantec

Figure. Top 10 countries by active infections (where attackers
stole information from infected computers)


Well resourced hacking campaign

With a range of malware tools at its disposal and having launched attacks through a number of different vectors, the Dragonfly group is described as “well resourced”. It has compromised a number of industrial control system (ICS) equipment providers, infecting their software with a remote access-type Trojan. This has caused companies to install the malware when downloading software updates for computers running ICS equipment. Said a spokesman for Symantec, “These infections not only gave the attackers a beachhead in the targeted organisations’ networks, but also gave them the means to mount sabotage operations against infected ICS computers.”

Symantec added: “This campaign follows in the footsteps of Stuxnet, which was the first known major malware campaign to target ICS systems. While Stuxnet was narrowly targeted at the Iranian nuclear programme and had sabotage as its primary goal, Dragonfly appears to have a broader focus with espionage and persistent access as its current objective with sabotage as an optional capability if required. In addition to compromising ICS software, Dragonfly has used spam email campaigns and ‘watering hole’ attacks to infect targeted organisations. The group has used two main malware tools: Backdoor.Oldrea and Trojan.Karagany. The former appears to be a custom piece of malware, either written by or for the attackers.

Symantec has already notified affected victims and relevant national authorities, such as Computer Emergency Response Centers (CERTs) that handle and respond to internet security incidents.

Dragonfly may be state-sponsored

The Dragonfly group, appears to have been in operation since at least 2011 and initially targeted defence and aviation companies in the US and Canada before shifting its focus to US and European energy firms in early 2013. The campaign against the European and American energy sector soon expanded in scope, and reportedly bears the hallmarks in high technical capability of a state-sponsored operation.

Commenting on the attacks, director of security research, Tom Cross at network intelligence firm Lancope said: “This is an attack that is directly targeted at western industrial control systems and is suspected to be of Russian origin. Although we don’t know the motive behind these attacks, the purpose of controlling these systems may be to disable them at some point in the future. Russia has used cyberattacks in conjunction with conventional warfare in the past, such as the 2008 conflict between Russia and Georgia. Therefore, it is alarming to hear that a malware variant suspected of having Russian origin has been directly targeted at industrial infrastructure.”


Symantec Corporation (NASDAQ: SYMC) is an information protection expert. Founded in April 1982, Symantec is a Fortune 500 company that operates one of the largest global data intelligence networks The company has provided security, back-up and availability solutions for businesses storing, accessing and sharing information.

Lancope, Inc. is a provider of network visibility and security intelligence to defend enterprises against today’s threats. By collecting and analysing NetFlow, IPFIX and other types of flow data, Lancope’s StealthWatch® System is said to help organisations quickly detect a wide range of attacks.



9 IoT applications that will change everything

Posted on: September 1, 2021

Whether you are a future-minded CEO, tech-driven CEO or IT leader, you’ve come across the term IoT before. It’s often used alongside superlatives regarding how it will revolutionize the way you work, play, and live. But is it just another buzzword, or is it the as-promised technological holy grail? The truth is that Internet of

Read more

Which IoT Platform 2021? IoT Now Enterprise Buyers’ Guide

Posted on: August 30, 2021

There are several different parts in a complete IoT solution, all of which must work together to get the result needed, write IoT Now Enterprise Buyers’ Guide – Which IoT Platform 2021? authors Robin Duke-Woolley, the CEO and Bill Ingle, a senior analyst, at Beecham Research. Figure 1 shows these parts and, although not all

Read more

CAT-M1 vs NB-IoT – examining the real differences

Posted on: June 21, 2021

As industry players look to provide the next generation of IoT connectivity, two different standards have emerged under release 13 of 3GPP – CAT-M1 and NB-IoT.

Read more

IoT and home automation: What does the future hold?

Posted on: June 10, 2020

Once a dream, iot home automation is slowly but steadily becoming a part of daily lives around the world. In fact, it is believed that the global market for smart home automation will reach $40 billion by 2020.

Read more

Actility and Helium Network announce roaming integration to scale IoT coverage

Posted on: October 18, 2021

Actility, the provider of IoT connectivity solutions and LPWA technology, and Helium have launched a roaming integration partnership, unlocking affordable and ubiquitous coverage for millions of IoT devices.

Read more

Future of data integration: 2022 and beyond

Posted on: October 18, 2021

Traditional methods including manual creation of scripts, scrubbing the data, and later loading it into a data warehouse or ETL, (extract-transform-load) was used to integrate data from different sources. These methods were adopted in the era of resource constraints and have now become very time-intensive, expensive, and error-prone, says Yash Mehta, an IoT and big

Read more