Dragonfly ... who is the lucky target

The Symantec summary on Dragonfly states that a certain manufacturer of PLC is the target of this malware.
But, they don't get specific.
Does anyone have a web link for any more specifics, and/or defense?

Interesting.

Symantec said:

The most ambitious attack vector used by Dragonfly was the compromise of a number of legitimate software packages. Three different Industrial Control System (ICS) equipment manufacturers were targeted and malware was inserted into the software bundles they had made available for download on their websites. All three companies made equipment that is used in a number of industrial sectors, including energy.

The first identified Trojanized software was a product used to provide VPN access to programmable logic controller (PLC) type devices. The vendor discovered the attack shortly after it was mounted, but there had already been 250 unique downloads of the compromised software.

The second company to be compromised was a European manufacturer of specialist PLC type devices. In this instance, a software package containing a driver for one of its devices was compromised. Symantec estimates that the Trojanized software was available for download for at least six weeks in June and July 2013.

The third firm attacked was a European company which develops systems to manage wind turbines, bio-gas plants, and other energy infrastructure. Symantec believes that compromised software may have been available for download for approximately ten days in April 2014.

Click to expand...

And from F-Secure:

Based on the content of their websites, all three companies are involved in development of applications and appliances for use in industrial applications. These organizations are based in Germany, Switzerland and Belgium. Two of them are suppliers of remote management software for ICS systems and the third develops high-precision industrial cameras and related software.

Click to expand...

From what I've read, "Dragonfly" and "Energetic Bear" are the names used by Symantec and F-Secure for the people behind the attacks. The name "Havex" has been used for the malware tools themselves.

Two good articles from Digital Bond and from F-Secure:

http://www.digitalbond.com/blog/2014/06/26/havex-stuxnet-ics-cert-dhs/

http://www.f-secure.com/weblog/archives/00002718.html

F-Secure's report shows that the malware has been seeking out OPC servers, and using them to determine what types of automation equipment is connected.

They say that they have not seen this malware attempt to attack or control any of the control systems.

This malware attack was done in stages, with ordinary social engineering and e-mail attachment attacks early on. My company got some of the e-mail attachment attacks, but our antivirus detected and removed them.

Then the very sneaky Trojanizing of industrial software packages from three affected vendors. I've read that those three vendors are from Germany, Switzerland, and Belgium.

The businesses they are involved in are described as PLC remote management software and precision machine vision software.

So it wasn't RSLogix or Step7 that got trojanized, but rather smaller vendors who had download servers that were easier to take over.

As for which sorts of controllers the bad guys intend to attack... I don't think anyone knows.

For what it's worth, "E W O N" makes popular industrial VPN equipment and is headquartered in Nivelles, Belgium.