A group of hackers has targeted US and European energy companies in an extended campaign that has, in some instances, led to cybersecurity breaches that expose the systems that control companies’ operations. The attacks were outlined in a new report from Symantec.
The report claims that attacks have allowed the hackers to bypass the security of energy firms in the US, Turkey, and Switzerland, while companies in other countries are thought to have been affected. The hackers appear to have used multiple methods to access target networks, including malicious emails, watering hole attacks, and Trojanized software.
The attacks use similar tactics to a group known as Dragonfly, which Symantec says has been active dating back to 2011 and was responsible for a wave of attacks discovered by security researchers in 2014. The cybersecurity firm is calling the latest attacks, which appear to have begun in Dec. 2015 before a “distinct increase in activity in 2017,” the Dragonfly 2.0 campaign.
The group is thought to be tied to the Russian government, but there’s no proof beyond speculation and a few lines of Russian code strings in the malware discovered by researchers. Some code strings were in French, however, so Symantec is wary of language being used as a false flag to throw researchers off the trail of the attackers’ origins.
The report says that the hackers appear to have expanded the scope of their operations for Dragonfly 2.0. The original Dragonfly campaigns were more of an “exploratory phase,” in which the group was probing for access into the energy sector, while the current phase of attacks is more focused on gaining a foothold to potentially disrupt energy systems.
Symantec believes that screen captures found in the hackers’ possession prove that they might be able to gain control of the power systems if they so choose. The the files were tagged with “cntrl” possibly indicating that the machines in question could access to operational systems.
The potential for these hacks to take a toll in the real world is all too close. Symantec analyst Eric Chien believes the only barrier between the hackers and an attack on real-world energy systems is a reason to flip the switch.
“We’re now talking about on-the-ground technical evidence this could happen in the US, and there’s nothing left standing in the way except the motivation of some actor out in the world,” he told Wired.
Attacks on power grids aren’t exactly a new phenomenon. Nuclear facilities in the US were targeted by hackers back in July, but there was no proof that the malicious actors were able to gain access to the operational systems. Energy companies in Ukraine weren’t so lucky, however: Hackers actually cut the power in 2015 and 2016.