A team of researchers at Symantec has found that advanced hackers have infiltrated American and European energy companies via cyber attack. The attacks have targeted the U.S., Turkey, and Switzerland and likely other nations reports Reuters.
The Symantec researchers blame a hacking group known as Dragonfly. If that name sounds familiar, it’s because Dragonfly has been in the news before for attacks on energy infrastructure. In 2014 BBC wrote of Dragonfly:
Energy firms hacked by ‘cyber-espionage group Dragonfly’
Eighty four countries were affected, although most of the victims were located in the United States, Spain, France, Italy, Germany, Turkey, and Poland.
Since 2013 Dragonfly has been targeting organisations that use industrial control systems (ICS) to manage electrical, water, oil, gas and data systems.
Symantec said Dragonfly had accessed computers using a variety of techniques, including attaching malware to third-party programs, emails and websites, giving it “the capability to mount sabotage operations that could have disrupted energy supplies across a number of European countries”.
It had used Backdoor.Oldrea to gather system information, including the computers’ Outlook address book and a list of files and programs installed, and Trojan.Karagany to upload stolen data, download new files and run them on infected computers, Symantec said.
‘Interesting and concerted’
“The way Dragonfly targeted the companies in question was – while not groundbreaking – interesting and concerted. It appears they clearly mapped out their intended plan of attack,” said Rob Cotton, CEO at global information assurance firm NCC Group.
“The increasing frequency and sophistication of these attacks whilst concerning should not be a cause of alarm for the average consumer – yet. Government departments such as the CPNI (Centre for the Protection of National Infrastructure) provide sound advice to all key components of our society, ensuring the lights stay on and similar core services and functions critical to our way of life are available.”
The attack is similar to the Stuxnet computer worm, which was designed to attack similar industrial controllers in 2010 and reportedly ruined almost 20% of Iran’s nuclear power plants.
Symantec said Dragonfly “bears the hallmarks of a state-sponsored operation, displaying a high degree of technical capability”.
In the recent release Symantec pointed their finger once again at Dragonfly.
The energy sector in Europe and North America is being targeted by a new wave of cyber attacks that could provide attackers with the means to severely disrupt affected operations. The group behind these attacks is known as Dragonfly. The group has been in operation since at least 2011 but has re-emerged over the past two years from a quiet period following exposure by Symantec and a number of other researchers in 2014. This “Dragonfly 2.0” campaign, which appears to have begun in late 2015, shares tactics and tools used in earlier campaigns by the group.
The energy sector has become an area of increased interest to cyber attackers over the past two years. Most notably, disruptions to Ukraine’s power system in 2015 and 2016 were attributed to a cyber attack and led to power outages affecting hundreds of thousands of people. In recent months, there have also been media reports of attempted attacks on the electricity grids in some European countries, as well as reports of companies that manage nuclear facilities in the U.S. being compromised by hackers.
The Dragonfly group appears to be interested in both learning how energy facilities operate and also gaining access to operational systems themselves, to the extent that the group now potentially has the ability to sabotage or gain control of these systems should it decide to do so.
At Richardcyoung.com we’ve been highlighting the vulnerabilities in energy infrastructure for years. For more on how a cyber attack on America’s energy infrastructure could affect you, read this piece I wrote in 2012 about SCADA systems, the most vulnerable parts of the grid.