Research Saturday 4.14.18
Ep 31 | 4.14.18

Energetic Dragonfly and DYMALLOY Bear 2.0.


Dave Bittner: [00:00:03] Hello everyone, and welcome to the CyberWire's Research Saturday, presented by the Hewlett Foundation's Cyber Initiative. I'm Dave Bittner, and this is our weekly conversation with researchers and analysts tracking down threats and vulnerabilities, and solving some of the hard problems of protecting ourselves in a rapidly evolving cyberspace. Thanks for joining us.

Dave Bittner: [00:00:26] And now, a moment to tell you about our sponsor, the Hewlett Foundation's Cyber Initiative. While government and industry focus on the latest cyber threats, we still need more institutions and individuals who take a longer view. They're the people who are helping to create the norms and policies that will keep us all safe in cyberspace. The Cyber Initiative supports a cyber policy field that offers thoughtful solutions to complex challenges, for the benefit of societies around the world. Learn more at

Dave Bittner: [00:01:02] And thanks also to our sponsor, Enveil, whose revolutionary ZeroReveal solution closes the last gap in data security: protecting data in use. It's the industry's first and only scalable commercial solution enabling data to remain encrypted throughout the entire processing lifecycle. Imagine being able to analyze, search, and perform calculations on sensitive data, all without ever decrypting anything. All without the risks of theft or inadvertent exposure. What was once only theoretical is now possible with Enveil. Learn more at, and be sure to check out Enveil at the RSA Early Stage Expo, Booth 32.

Kevin Livelli: [00:01:47] Like security researchers at a number of other firms and some government agencies, we have been following this threat actor, which has been called many things by many different security firms.

Dave Bittner: [00:01:58] That's Kevin Livelli. He's the Director of Threat Intelligence at Cylance. He and his team recently published research on Energetic DragonFly and DYMALLOY Bear 2.0.

Kevin Livelli: [00:02:09] It's one of those research subjects that we always keep an eye on because it has been evolving for several years now. One of the reasons why we published when we did, was because on March 15th the US government announced a bunch of sanctions against Russian cyber actors, what they called Russian cyber actors, that was directed towards the folks involved in the NotPetya attack. But, in the same breath, they also acknowledged that Russian cyber actors were targeting US government entities and US critical infrastructure sectors.

Kevin Livelli: [00:02:47] And that announcement about sanctions was followed by a new DHS/FBI Joint Analysis report with more indicators of compromise about that campaign that was referred to there. What was new was that, for the first time, the government was attributing the activity that was associated with that campaign targeting the energy sector, with the Russian government.

Kevin Livelli: [00:03:15] And so, given the fact that there was news there, and we had this rather small piece of research that we thought had greater significance, we thought it was an appropriate time to write a blog posting about it, while everyone's attention was focused on this campaign again.

Kevin Livelli: [00:03:32] This is a threat actor that has been active for the last five years at least, and has been written about by my counterparts at other security firms for years, right? Therefore, we get a bunch of different names. DragonFly 2.0, Energetic Bear Crouching Yeti, Group 24. There are others, but, sort of DHS and the FBI did us a favor, I guess, in helping encapsulate all of those into the phrase "Russian government actor."

Dave Bittner: [00:04:04] Very creative of them.

Kevin Livelli: [00:04:05] Right. But it's something that everybody's been following, right?

Dave Bittner: [00:04:08] Right.

Kevin Livelli: [00:04:08] And it's something that lots of researchers have been interested in because, well, in part, because the targets are so sensitive. And that's something that everybody kind of wants to, I think, stay abreast of. We've been doing this kind of research for several years now. We thought it was the right time to publish on this subject because, well, this was something new and interesting. A bit of color, if you were, that kind of fills in a part of the picture that had previously been told by both government agencies and other security firms.

Dave Bittner: [00:04:43] These operations initially came to light around 2013 and 2014, and then you all at Cylance noticed that they went dark for a period of time. What do you think was going on there?

Kevin Livelli: [00:04:56] Well, we think that--well, we don't really know of course, we're making an assessment based on just the big picture, and having followed this group for a while--but we think they were probably retooling during that year. You know, they came across the radar screen, as you said, five years ago, were active for a bit, and then went away, and then they popped up again in 2015. And there were news reports and some security firm reports that talked about targeting the same industry in European countries, in Ireland and in Turkey.

Kevin Livelli: [00:05:31] Some of this stuff has only come out recently, but sort of harkens back to that time period, and indeed, when we were following up on on that research, we noticed that there were organizations in Kazakhstan, so, not a European or Western nation, but in Kazakhstan, that were also compromised and targeted by this same threat actor.

Kevin Livelli: [00:05:56] And then, I think, if you're following the tick-tock here, the next time this sort of came to public attention was over the summer, in June and July of 2017. There was another series of technical alerts released by the United States government and the British government, and the United States government issued a joint analysis with the FBI and DHS authoring it in July, that talked about, again, the same group targeting the US critical infrastructure sector, the nuclear sector, the energy sector, in particular.

Kevin Livelli: [00:06:38] And in the U.K., the alert I think was private, but eventually leaked to the press and was reported on, principally by Motherboard, in July. And that talked about, again, the same threat actor, but in the context of targeting UK power sector companies.

Dave Bittner: [00:07:00] So, these revelations sort of aligned with what you all were were tracking in your own research?

Kevin Livelli: [00:07:07] That's right. Every time we see, you know, a report by another security firm, or a release of some analysis by a government agency, we recognize that, oh, this is a threat actor that, this is the same threat actor that we've been following for a while, and it sometimes leads us to some new research findings, right? And that was the case here.

Kevin Livelli: [00:07:28] So, in looking at some of the new malware samples that were referred to in some of these government reports over the summer, and following that thread wherever it led, we discovered that,, as part of the attack vector there was this new thing, right, that we hadn't seen before, in the context of the UK campaign, which was that the threat actor was incorporating the use of a compromised core infrastructure router into its attack.

Kevin Livelli: [00:08:05] And so, when we saw that, we thought two things. Number one, this is new, and we haven't seen this before in the context of this campaign and this threat actor. And secondly, we thought that it was particularly worrisome because routers are a piece of networking infrastructure. They operate differently and are more challenging for the average security researcher to investigate, or a forensic investigator to investigate, because they don't operate like a PC, right? They're not, uh, this is not something that is running an operating system software like a PC is, right, that you can more easily investigate. So, we certainly perked up when we saw this, and thought it was important to share our findings widely.

Dave Bittner: [00:08:48] There was a factor in this that involved a phishing operation which was targeting the energy sector in the UK. Can you take us through what was going on there?

Kevin Livelli: [00:08:59] Right. So, you know, as was the case with this threat actor targeting energy sector organizations previously, in this case a phishing lure in the form of a resume, like a curriculum vitae, was sent to some energy sector organizations in the UK, and the way this particular attack would work is that, when that was opened, it would fetch this remote template and attempt to automatically authenticate an SMB server.

Kevin Livelli: [00:09:36] Okay, so this SMB authentication is something that has been known for a long time as a way of harvesting credentials as part of a malware campaign including by this actor. But, instead of it redirecting to another IP, another ordinary IP, it was redirecting to this router, okay? And so, the router was involved, we think, not necessarily to collect data, but as a hop. You'd click on this document and there would be an attempt to authenticate via SMB that would redirect to this router and then on somewhere else. And in that way, the target's credentials were, we think, being harvested without his or her knowledge.

Dave Bittner: [00:10:26] And just for clarity, this was one specific router?

Kevin Livelli: [00:10:29] This is one specific router. So, this is a router that was belonging to a Vietnamese oil rig manufacturer. So, obviously something of concern for those guys. You know, theoretically the attack would continue after the credentials hit that router, right? Because once you have the credentials, then they could be used to go back in to those UK companies that you were targeting originally with those phishing documents.

Kevin Livelli: [00:10:55] And indeed, we saw some of that context sort of affirmed for us in one of the alerts that I mentioned previously that had been issued by the UK government, in the form of its National Cyber Security Centre, which is a branch of its GCHQ, its signals intelligence organization, in a Motherboard article that had been published several months prior.

Kevin Livelli: [00:11:19] Again, in the summer, according to that report, they said, in quoting this document, that the infrastructure in organizations, meaning UK energy organizations, was connecting to a set of malicious IP addresses using SMB. Okay, that's that's something we had here. And the report suggested that the hackers were trying to capture victims' passwords. And that's what we saw happening too. So, what our finding sort of reveals is how they were collecting those credentials, and they were collecting those credentials via the use of this compromised router.

Dave Bittner: [00:11:59] And in terms of the router itself, one of the things you pointed out in the research was that this was an end-of-life product that, in terms of general cyber hygiene, you know, this maybe should have had a bullseye on it.

Kevin Livelli: [00:12:13] I guess, but, you know, it's really difficult to criticize, in this case, criticize the manufacturer or the organization that was using this router, because routers, by their very nature, and this is part of the significance, I think, of this finding, is that the routers are by nature not only difficult to forensically investigate, but they're also difficult to patch, and remediate, and to keep up to date.

Kevin Livelli: [00:12:36] I'm sorry to say we don't have too much knowledge of what was going on with this router, how it was compromised, or whether it's firmware was updated recently, or when it was updated, right? We just get, like, a small glimpse of, A) that this was a Cisco router, and B) that it was likely compromised, as a result of some conclusions that we're drawing from analyzing what the malware was doing.

Dave Bittner: [00:13:00] I see. So, in terms of take-homes from this, and recommendations for folks to protect themselves, what can you offer there?

Kevin Livelli: [00:13:09] Well, I think that there are a lot, you know, this is going to impact a number of different people. And again, it's one of the reasons why we thought it was important to share our finding publicly. Well, first of all, this provides better situational awareness for folks inside the energy sector, both in the US and the UK, obviously, to be aware of the fact that this is part of the attack vector that is being used in targeting them, right?

Kevin Livelli: [00:13:39] This is also helpful, presumably, for government agencies in the UK and the US, and elsewhere, who have threat hunting teams whose job it is to follow this campaign. This is also going to be of interest to not only that company in Vietnam that was employing this router, but anybody that's using this router, and for Cisco, right, to sort of be aware of the fact that this technique has been folded into a campaign used by, what we now know, according to the US government, is another government operation. Right? So, not something that's likely to go away.

Kevin Livelli: [00:14:18] So, in terms of mitigating against it, boy, that's, you know, that's the perennial question, isn't it? Right? The first thing I think you want to do is try to educate yourself about what's going on, in an attempt to prevent a compromise to begin with. That's sort of how we think about it at Cylance, and I think that's good advice for everybody.

Kevin Livelli: [00:14:39] But beyond that, I think that folks should be following this research, particularly if you're in this sector, closely. You know, obviously this kind of research, and this subject in general, has implications for policymakers and folks in the wider cybersecurity community as well, right? Because it speaks to the specific actions that are being taken by, allegedly, by another nation-state against our nation-state, obviously, and other nations in the West.

Dave Bittner: [00:15:08] Yeah, it's interesting that, as is so often the case, it begins with a phishing operation.

Kevin Livelli: [00:15:14] Right. And that's sort of one of the dirty secrets here, of the cyber business, right, is that is that these advanced persistent threats, as they have been come to known, aren't always very advanced. They don't have to be, right? Clicking on phishing lures is one of the most sort of simple and well-known and well-publicized ways of initiating a compromise out there. And yet it happens. It happens all the time.

Kevin Livelli: [00:15:42] So, again that's why I mentioned that educating folks at all levels of an organization, from the leadership down to the folks that are plugging away at their desks every day, everybody has to be aware of that threat, particularly if you're working in this industry, one of these industries that we know is being actively targeted.

Kevin Livelli: [00:16:03] For all of the cybersecurity solutions that are out there, you know, if this is indeed a Russian intelligence operation, those guys aren't just going to go away. There's no patch for the GRU. Those guys are just going to find another way to get their campaigns launched and going, right? If one road is blocked, they're going to find another one. So, educating yourself about what they're doing, and understanding that, and then obviously maintaining basic hygiene, will go a long way I think to helping mitigate these risks.

Kevin Livelli: [00:16:40] And the final thing that I think that probably should be said here, Dave, is that, while this is very concerning, for all of the reasons that I enumerated earlier--the fact that a router is difficult to forensically investigate, compromised routers are difficult to patch and remediate--beyond the specifics of this one incident, the fact that the US government believes that the Russians are targeting the critical infrastructure sectors of the United States and the UK should be concerning, but not necessarily to the extent that we need to pull the fire alarm and start to panic. Because I think the likelihood that this activity could turn into something that would interrupt service, at this stage, is relatively low.

Kevin Livelli: [00:17:28] I don't think anybody expects that, having read this, that the lights are about to flicker off at any moment. This is one of those situations where, because of the target and because of the methods of attack that are being used, everybody should be paying attention, but nobody necessarily should be panicking yet.

Dave Bittner: [00:17:52] Our thanks to Kevin Livelli from Cylance for joining us. You can read the complete report on Energetic DragonFly and DYMALLOY Bear 2.0 on the Cylance website. It's in their Threat Matrix section.

Dave Bittner: [00:18:05] Thanks to the Hewlett Foundation's Cyber Initiative for sponsoring our show. You can learn more about them at

Dave Bittner: [00:18:13] And thanks to Enveil for their sponsorship. You can find out how they're closing the last gap in data security at

Dave Bittner: [00:18:22] The CyberWire Research Saturday is proudly produced in Maryland, out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology. It's produced by Pratt Street Media. The coordinating producer is Jennifer Eiben, editor is John Petrik, technical editor is Chris Russell, executive editor is Peter Kilpe, and I'm Dave Bittner. Thanks for listening.