The Dragonfly Attack

Symantec recently released a comprehensive Security Response describing a 2013 cyber-attack on US energy infrastructure, dubbed “Dragonfly“ (also known as “Energetic Bear”. F-Secure has been tracking one of the malware variants used, called Havex.) The attack used spear-phishing, water-holing and  Remote Access Trojans to compromise a number of important organizations in the United States, Spain, France, Italy, Germany , Turkey and Poland. These targets included energy grid operators and electricity generation firms, as well as oil and gas infrastructure and industrial control system equipment manufacturers. The attack was focused on exfiltrating data and authentication credentials, but also included infecting control system software packages with malware that could sabotage the energy infrastructure.


The Symantec Security Response and the related blog are great resources for understanding the attack, in terms both of how the attack has been carried out and of how to find and remove the malware. They point out the critical importance of sharing this kind of information, a key point for us in the SPARKS project, represented in such activities as the stakeholder workshop described in an earlier blog, as well as in the conference presentations we have already been doing and the publications we’ll be doing over the next several years.

The discussion of the Dragonfly attack is particularly important in helping all of us involved in the security of critical infrastructure to understand the magnitude of the threat confronting us. As the Symantec Security Response says in its first sentence, the Dragonfly attack “gave attackers the ability to mount sabotage operations against their victims.” The report continues: “if they had used the sabotage capabilities open to them, [the attackers] could have caused damaged or disruption to the energy supply in the affected countries.”

So how should we respond to this attack? The Symantec blog calls out a number of technologies as mitigation strategies, including, as the first recommendation, a multi-layer approach that includes “enterprise-wide security monitoring from Edge to Endpoint”. Certainly technological capabilities are important. But we need to remember that technologies are only part of the answer. They have to be part of a larger strategy that includes exactly the kind of information sharing that the Symantec report represents, that includes processes that support the rapid detection and response to attacks such as this, and not just at the enterprise level, but at the national and international level. We hope that SPARKS will be an important catalyst for these strategic discussions and decisions.