Dragonfly Malware Could Lead To Drug Counterfeiting
By Cyndi Root
Belden, a communications and electronics company, warned the pharmaceutical industry in a press release that the Dragonfly (Havex) malware is a threat. Previously, the malware was thought to be targeting the energy sector, but further analysis revealed that the cyberattack threatens pharmaceutical Intellectual Property (IP).
Belden asked Joel Langill of RedHat Cyber to conduct a comprehensive analysis of the malicious software, its targets, and the resulting damage. Langill identified the reasons he thinks the malware is targeting pharmaceutical companies. He said, “My research, coupled with my knowledge of the pharmaceutical industry, led me to conclude that it was the target of Dragonfly. The potential damage could include the theft of proprietary recipes and production batch sequence steps, as well as network and device information that indicate manufacturing plant volumes and capabilities.”
Belden Report
Belden’s report is titled, “Defending Against the Dragonfly Cyber Security Attacks, Part A – Identifying the Targets.” The first of four reports, the analysis uncovers the method of attack, the victims, and the consequences of the breach in security. Belden advises manufacturing organizations to update risk assessments to defend against “highly coordinated attacks by teams of professional hackers.” Belden states that the fourth report will provide effective defenses against Dragonfly, including those that diverge from common security practices.
Dragonfly
Belden considers Dragonfly as dangerous as the Stuxnet, Flame, and Duqu cyberattacks. It differs in that it is an advanced attack on industrial control system (ICS) components. Langill believes that Dragonfly targets pharmaceutical ICS systems due to three reasons. One is that the three targets of the trojanized software offer products and services used in the pharmaceutical industry. Two is that Dragonfly is similar to the Epic Turla attack, which targeted pharmaceutical IP. Third is Dragonfly’s targeting of TCP ports 44818 (Omron, Rockwell Automation), 102 (Siemens) and 502 (Schneider Electric), which are more commonly installed in pharmaceutical packaging and manufacturing applications.
Eric Byres, CTO of Tofino Security, a Belden Brand, said that the malware was not intended to cause a disruption of service, but rather, was specifically stealing IP assets for the purpose of counterfeiting. He said that manufacturing companies should secure their ICS systems and not fall victim to malware that can lie hidden for years.