Researchers find that a cyberattack group has been quietly sneaking into the world’s power grid control systems over the last six years.
Electrical power grids around the world have been infiltrated by hackers.
Researchers from Symantec, a security company, found evidence that hundreds of power grid sites across the US, Turkey and Switzerland were hit in a massive hacking campaign they are calling Dragonfly 2.0.
The campaign, which started as early as 2011, included malicious emails sent to targets who worked in the energy industry, Symantec said. The first attacks quieted down in 2014, but started back up again in December 2015, with a phishing email disguised as a New Year’s Eve party invite.
Symantec warned that hackers now have login credentials and access to multiple power grids around the world, with the potential to cause blackouts.
Attacks on critical infrastructure pose a massive threat to nations due to their ability to cause immediate chaos, whether it’s starting a blackout or blocking traffic signals. These systems are often vulnerable because of antiquated software and the high costs of upgrading infrastructure.
The world has seen what can happen when hackers tap into a vulnerable power grid. Ukraine experienced a power outage in December after an attack from Russian hackers, and citizens in the nation’s capital of Kiev went without power for an hour. In 2016, Congress introduced a bill to protect critical US infrastructure from cyberattacks by raising security standards.
Eric Chien, a technical director at Symantec, said they “don’t expect to see a blackout tomorrow,” but with Dragonfly 2.0’s hacks, it’s “technically possible.” Symantec found evidence that hackers were taking screenshots of documents from multiple electrical companies that included machine descriptions and locations. The descriptions apparently noted that many machines could be accessed remotely, potentially leaving them open to cyberattacks.
Dragonfly’s attacks increased throughout 2016 and 2017, said Symantec. Hackers sent malicious emails that pretended to be about business concerns and created a fake Flash update that could install a virus on victims’ computers, potentially giving hackers remote access.
So far, the hackers appear to be using the access for espionage, to gather secret documents and possibly plan out a future attack. Crowdstrike, another security research company, has linked the Dragonfly campaign to Russian hackers, but Symantec hasn’t attributed the attacks to any nation.
The Department of Homeland Security is “aware of the report and reviewing it,” an official told CBS News.
Spying and gathering intel is often the first step to launching an attack on infrastructure, said Sergio Caltagirone, the director of intel for infrastructure security company Dragos. It often takes several years for an actual attack to carry out. Even though the Dragonfly campaign has been running for six years, it still isn’t enough time, he noted.
“It takes many years for them to actually go from the point of information gathering to actual shutdown capability,” Caltagirone said. “The fact that they’re still information-gathering shows that they’re still not there.”
And just because hackers have access to login information doesn’t necessarily mean they can cause massive blackouts in the US, which would be a major national security concern. The Dragonfly campaign should be a wake-up call for the energy industry, Caltagirone said, but power grids in the US are capable of withstanding cyberattacks.
Despite their flaws, power grids in the US have been designed to withstand outages caused by everything from cyberattacks to natural disasters like hurricanes and earthquakes.
Power grids in the US aren’t like a domino effect, Caltagirone said, where when one system fails they all do.
“It is designed to protect itself against large scale outages,” Caltagirone said. “Any thoughts that wide-ranging attacks on the power grid in the US is possible infers a misunderstanding into its complication and its resiliency.”