A report by internet security experts, Symantec, says that a hacking group called Dragonfly 2.0 has gained access to 20 power company networks. The American power grid has been hacked, but for some reason, the culprits restrained themselves from taking down the power like they did in Ukraine recently.
The targets were in the United States, Turkey, and Switzerland. According to Symantec, the hackers did gain access to the interface they would need to control the power equipment, with which they could cause a widespread blackout. Eric Chien, a Symantec security analyst, told Wired:
“There’s a difference between being a step away from conducting sabotage and actually being in a position to conduct sabotage … being able to flip the switch on power generation. We’re now talking about on-the-ground technical evidence this could happen in the US, and there’s nothing left standing in the way except the motivation of some actor out in the world.”
While we were all focused on the natural disasters like wildfires and hurricanes looming over us, this report went all but unnoticed by the mainstream and alternative media alike.
A power grid attack could shut down commerce and destroy our already precarious financial system. It could take down our medical system. If the damage was long-lasting, chaos would erupt and it wouldn’t take long for the death toll to skyrocket, so dependent are we on power at the flip of a switch.
How did the hackers get in?
Remember how John Podesta ended up being the victim of a phishing scheme that allowed the Clinton campaign to be hacked? This was pretty much the same thing. The Symantec report explains that this has been going on for a couple of years now, but that activity has sharply increased this year:
Symantec has strong indications of attacker activity in organizations in the U.S., Turkey, and Switzerland, with traces of activity in organizations outside of these countries. The U.S. and Turkey were also among the countries targeted by Dragonfly in its earlier campaign, though the focus on organizations in Turkey does appear to have increased dramatically in this more recent campaign.
As it did in its prior campaign between 2011 and 2014, Dragonfly 2.0 uses a variety of infection vectors in an effort to gain access to a victim’s network, including malicious emails, watering hole attacks, and Trojanized software.
The earliest activity identified by Symantec in this renewed campaign was a malicious email campaign that sent emails disguised as an invitation to a New Year’s Eve party to targets in the energy sector in December 2015.
The group conducted further targeted malicious email campaigns during 2016 and into 2017. The emails contained very specific content related to the energy sector, as well as some related to general business concerns. Once opened, the attached malicious document would attempt to leak victims’ network credentials to a server outside of the targeted organization.
In July, Cisco blogged about email-based attacks targeting the energy sector using a toolkit called Phishery. Some of the emails sent in 2017 that were observed by Symantec were also using the Phishery toolkit (Trojan.Phisherly), to steal victims’ credentials via a template injection attack. This toolkit became generally available on GitHub in late 2016,
As well as sending malicious emails, the attackers also used watering hole attacks to harvest network credentials, by compromising websites that were likely to be visited by those involved in the energy sector.
The stolen credentials were then used in follow-up attacks against the target organizations. In one instance, after a victim visited one of the compromised servers, Backdoor.Goodor was installed on their machine via PowerShell 11 days later. Backdoor.Goodor provides the attackers with remote access to the victim’s machine…
…Symantec also has evidence to suggest that files masquerading as Flash updates may be used to install malicious backdoors onto target networks–perhaps by using social engineering to convince a victim they needed to download an update for their Flash player. Shortly after visiting specific URLs, a file named “install_flash_player.exe” was seen on victim computers, followed shortly by the Trojan.Karagany.B backdoor.
Typically, the attackers will install one or two backdoors onto victim computers to give them remote access and allow them to install additional tools if necessary. Goodor, Karagany.B, and Dorshel are examples of backdoors used, along with Trojan.Heriplor.
The moral of this story? Be careful what you do online.
This was a recon mission.
So, they got in but why didn’t they do anything? According to one expert, they were just in there looking around. John Hultquist, a researcher for FireEye security, said of another such intrusion, “In our experience groups that have solely targeted energy like this have been carrying out reconnaissance for attack,”
According to the report by Symantec:
The Dragonfly group appears to be interested in both learning how energy facilities operate and also gaining access to operational systems themselves, to the extent that the group now potentially has the ability to sabotage or gain control of these systems should it decide to do so.
Back in July of this year, hackers got into an American nuclear power plant in Kansas. On the bright side, they were just into the business side of the Wolf Creek nuclear power plant near Burlington, Kansas, and did not obtain access to the controls. But it’s still pretty unsettling that they’d even get that close.
If someone was able to get into the control section, not only could they cause a power outage, but they could potentially disable the nuclear safeguards. Eric Chien suspects that while this hack was originally blamed on the Russians (because, really, what isn’t blamed on the Russians?) that the Dragonfly 2.0 hackers were the ones who were responsible. “”It’s highly unlikely this is just coincidental.”
Symantec seems to believe this will lead to something much, much worse:
Sabotage attacks are typically preceded by an intelligence-gathering phase where attackers collect information about target networks and systems and acquire credentials that will be used in later campaigns…The original Dragonfly campaigns now appear to have been a more exploratory phase where the attackers were simply trying to gain access to the networks of targeted organizations.
The Dragonfly 2.0 campaigns show how the attackers may be entering into a new phase, with recent campaigns potentially providing them with access to operational systems, access that could be used for more disruptive purposes in future.
Who is behind Dragonfly?
Symantec isn’t sure who is behind the intrusions and says that many of their actions are aimed at making it difficult to figure out.
Some of the group’s activity appears to be aimed at making it more difficult to determine who precisely is behind it:
The attackers used more generally available malware and “living off the land” tools, such as administration tools like PowerShell, PsExec, and Bitsadmin, which may be part of a strategy to make attribution more difficult. The Phishery toolkit became available on Github in 2016, and a tool used by the group–Screenutil–also appears to use some code from CodeProject.
The attackers also did not use any zero days. As with the group’s use of publicly available tools, this could be an attempt to deliberately thwart attribution, or it could indicate a lack of resources.
Some code strings in the malware were in Russian. However, some were also in French, which indicates that one of these languages may be a false flag.
Conflicting evidence and what appear to be attempts at misattribution make it difficult to definitively state where this attack group is based or who is behind it.
The report also references the possibility of a false flag.
Our power grid has been hacked.
Our grid has been hacked. Symantec’s report refuses to disclose which power plants were compromised, but there seems to be no doubt the hackers were able to gain access to operational control of them. And while this has been going on for a few years now, they’re getting bolder and nearly have the pieces in place to widespread sabotage our power grid.
What is clear is that Dragonfly is a highly experienced threat actor, capable of compromising numerous organizations, stealing information, and gaining access to key systems. What it plans to do with all this intelligence has yet to become clear, but its capabilities do extend to materially disrupting targeted organizations should it choose to do so.
After last December’s malware attack that took down the grid in Ukraine, the power was back on in most places within 6 hours. But…two months later, the controls were still not fully operational. Nothing was able to be done remotely. Someone had to manually control the breakers for months after the attack.
In the US, it might not go so smoothly.
That’s actually a better outcome than what might occur in the US, experts say, since many power grid control systems here don’t have manual backup functionality, which means that if attackers were to sabotage automated systems here, it could be much harder for workers to restore power.
No manual controls? Yay, progress. But the Ukraine attack could have been worse.
The fact that the hackers could have done much more damage than they did do if only they had decided to physically destroy substation equipment as well, making it much harder to restore power after the blackout. The US government demonstrated an attack in 2007 that showed how hackers could physically destroy a power generatorsimply by remotely sending 21 lines of malicious code.
The Ukrainian grid was hit again with the NotPetya attack earlier this summer, a cyber attack that quickly spread globally. It’s naive to think that
Our power grid has been hacked, and it’s naive to think that a massive cyber attack couldn’t happen to us. Cyber warfare is the war of the future and there is more and more proof that it isn’t a matter of if, but when.