More details are emerging about the sophisticated hackers who recently penetrated U.S. energy company systems that could be manipulated to sabotage parts of the electric grid.
“They weren’t just in administrative networks—we saw them on operational machines,” says Eric Chien, technical director of Symantec’s security technology and response unit. “We’re talking about machines that are controlling elements that are plugged into the power grid.”
The hackers, who appear linked to an earlier wave of attacks on the sector reported in 2014, ramped up their efforts this year, Symantec reports. They’ve used a mix of targeted phishing attacks—sending malware-laden emails with content targeted to the energy sector—and so-called watering hole attacks, compromising websites likely to be visited by targets in the industry and using them to invade energy company networks.
Symantec says the attack is likely the work of a group that security experts call “Dragonfly” or “Energetic Bear,” and while the company emphasized that it doesn’t have enough evidence to definitely link the group to a particular nation, other experts have previously connected them to Russia. A report released in December by the FBI and Department of Homeland Security included Dragonfly on a list of reported Russian intelligence hacking groups, and security firm CrowdStrike said in 2014 the group had a “nexus to the Russian federation.” DHS is reviewing the new report, and says there’s no sign of an immediate threat to public safety, The Hill reported Friday.
The fact that the group hasn’t sought ransom or stolen data with obvious industrial espionage value suggests a state-sponsored group, as does the apparent sophistication of the attacks, Chien says.
“This is definitely at the level of a nation state,” he says, though Symantec hasn’t pointed fingers at a particular country.
It’s also possible the group is a set of hackers for hire, writes James Scott, a senior fellow at the Institute for Critical Infrastructure Technology, in a Friday blog post.
“If Dragonfly is a Russian state-sponsored group, then the compromises could be a show-of-force meant to indirectly respond to recent sanctions placed on the sponsor,” Scott writes. “If the group is mercenary, the campaign could be a demonstration of skill.”
Once in company systems, the group has been spotted installing additional malware granting backdoor access to systems and taking surreptitious screenshots of industrial control software. Those screenshots could allow the hackers to study how the software, which often varies from installation to installation based on the hardware that’s installed, controls electric grid operations, says Chien.
“You might see a box that represents a switch or a larger thing that represents a breaker panel,” he says. “They take screenshots of those so they can understand what they need to control.”
Symantec warned a number of companies in the energy sector in the past few months about the attack, and since then, it’s seen a decline in the number of attacks detected, possibly indicating that companies are successfully repelling the attackers. Because much of its data is collected anonymously, the company can’t say with certainly which companies have been hacked.
The company also hasn’t made definitive claims about who’s behind the hacking operation, which Symantec has dubbed Dragonfly 2.0. The company has seen evidence of attacks in Turkey and Switzerland as well as the United States, and some language in the hacking code is in French and Russian, but Symantec says that alone doesn’t divulge the nationality of the hackers. Symantec researchers were able to link these hacks with those in years past, based on unique malware used in both waves of attacks but the group now mostly uses off-the-shelf hacking tools, making it more difficult to pick out new clues to their identity, Chien says.
Given previous attacks, this new wave of hacks isn’t a great surprise, says Omer Schneider, CEO of industrial control system security company CyberX, in an email.
“Over time, the adversaries have gotten even more sophisticated and now they’ve stolen credentials that give them direct access to control systems in our energy sector,” he writes. “If I were a foreign power, this would be a great way to threaten the U.S. while I invade other countries or engage in other aggressive actions against U.S. allies.”
Chien emphasizes that there’s no single digital switch hackers could throw to instantly cause a widespread blackout but says it’s certainly conceivable they could create outages. Hackers suspected of being linked to Russia famously triggered blackouts in Ukraine on multiple occasions, and it’s possible a clever attack could cause cascading issues, like the malfunction that cut power to millions in the 2003 Northeast blackout. The Department of Energy has previously warned that the grid faces “imminent danger” of a digital attack and federal agencies have begun researching ways to quickly restore power after a hack.
Scott argues a Ukraine-style attack would be unlikely to cause widespread damage and would be an unwise move, since it would “do little other than draw the ire of the United States and its allies.”
Those power companies that are already affected by this hack should reinstall affected machines and change potentially stolen credentials, Chien says. And those who might be vulnerable should install two-factor authentication wherever possible as an additional precaution. Companies can also install monitoring tools from a variety of vendors that can catch suspicious activity, including on industrial control systems.
“Organizations in a range of industries that are concerned about DragonFly 2.0 affecting their critical operational systems should apply real-time ICS monitoring and detection that can identify the presence of DragonFly in their operations and take steps to block or remediate it,” writes Moreno Carullo, CTO of ICS security company Nozomi Networks, in an email.
And while the hacking activity has apparently decreased since Symantec put the warning out to affected companies, and electric companies have generally increased their security in recent years, it’s quite possible the attackers will regroup and try again, says Chien.
“We would expect there to be additional improvements, but it’s a constant cat-and-mouse battle,” he says.