The global site of the UK's leading magazine for automation, motion engineering and power transmission
13 June, 2024

Twitter link

Dragonfly malware targets pharma, not energy

16 September, 2014

New analysis of the recently revealed Dragonfly (Havex) malware suggests that it has been targeting packaged consumer goods industries – especially the pharmaceutical sector – rather than the energy sector as was previously believed.

Dragonfly is one of the most advanced attacks since Stuxnet and targets specific industrial control system (ICS) components. The malware contains an industrial protocol scanner that searches for devices on TCP ports 44818 (used by Omron and Rockwell Automation), 102 (Siemens) and 502 (Schneider Electric). According to the industrial communications specialist Belden, these protocols and products have a higher installed base in packaging and manufacturing applications typically found in consumer packaged goods industries, such as pharmaceuticals, rather than the energy industry.

Belden commissioned a leading independent ICS security expert, Joel Langill of RedHat Cyber, to research Dragonfly in more depth. He focused on executing the malicious code on systems that reflect real-world ICS configurations and observing the malware’s impact.

He found that out of thousands of possible ICS suppliers, the three companies targeted for trojanised software were not primary suppliers to energy facilities. Instead, all three offered products and services most commonly used by consumer packaged goods industries, including the pharmaceutical industry.

Langill also reports that the Dragonfly attack is similar to another campaign called Epic Turla and is likely to have been managed by the same team. Epic Turla targeted the intellectual property of pharmaceutical companies.

“My research, coupled with my knowledge of the pharmaceutical industry, led me to conclude that it was the target of Dragonfly,” Langill says. “The potential damage could include the theft of proprietary recipes and production batch sequence steps, as well as network and device information that indicate manufacturing plant volumes and capabilities.”

According to Eric Byres, chief technical officer of Belden’s cyber-security business, Tofino Security, “the interesting thing about Dragonfly is that it targeted ICS information not for the purpose of causing downtime, but for the purpose of intellectual property theft – likely for the purpose of counterfeiting. CIOs and other executives need to know about this attack and be assured that there are techniques and products available to defend against it.

“Security researchers and hackers have identified numerous vulnerabilities in the products used in industrial operations,” he adds. “Post Dragonfly, it is important that manufacturing companies secure core ICS through up-to-date best practice policies and industrially focused security technologies. We know now that Stuxnet and Flame remained hidden in their target networks for years – by the time worms like these do damage or steal trade secrets, it is too late to defend against them.”

Belden has published White Paper by Joel Langill called Defending against the Dragonfly cyber-security attacks: identifying the targets. It is the first of four planned papers and investigates the victims, methods and consequences of the Dragonfly campaign. The series will analyse which defences have been found to be effective or ineffective against “advance persistent threats” such as Dragonfly. Many of the suggested actions differ from current common security practices.

Belden has also published a blog on the topic. 

  • To view a digital copy of the latest issue of Drives & Controls, click here.

    To visit the digital library of past issues, click here

    To subscribe to the magazine, click here



"Do you think that robots create or destroy jobs?"



Most Read Articles