Energetic DragonFly DYMALLOY Bear 2.0

Introduction

New research from Cylance identifies for the first time the use of a compromised core router as one of the tools wielded by the threat actor that has recently been accused by the United States government of acting in the interests of Russia to attack government agencies and organizations in the “energy, nuclear, commercial facilities, water, aviation, and critical manufacturing sectors.”

This is a discovery whose significance far outweighs its size, given that core router compromises are considerably harder to detect, analyze, patch, and remediate than compromises of PCs.

Background

On March 15, the U.S. government announced new sanctions against what it called “Russian cyber actors” for interference in the 2016 presidential election and the NotPetya attack. In the course of that announcement, the government alluded to the fact that “Russian government cyber actors have also targeted U.S. government entities and multiple U.S. critical infrastructure sectors,” including energy and nuclear power companies.

This constitutes the first time that the U.S. government has publicly attributed these attacks to the Russians. In the wake of this announcement, the FBI and DHS released the details in a new Joint Analysis report.

This marks the third time that the U.S. government has published such information. The first time was privately in June of 2017, and then it did so again in a broader public report released in October of 2017. While these government warnings are new, this threat actor (also known variously as DragonFly, Energetic Bear, Crouching Yeti, DYMALLOY, and Group 24) has been the subject of investigation and/or public reports by the security industry for years, including at Cylance.

After this threat actor’s operations were initially exposed in 2013 and 2014 in a series of widely discussed research reports that led to the different group names (Read more...)

This is a Security Bloggers Network syndicated blog post authored by Jon Gross and Kevin Livelli. Read the original post at: Cylance Blog