A government security alert about foreign hackers probing the networks of U.S. energy companies frightened casual observers, but security experts say the report provided little more than an update on relatively well-known activity and behavior.
The alert, released late last week by the Department of Homeland Security, mentions evidence of a hacker group — originally identified by U.S. cybersecurity firm Symantec and codenamed “Dragonfly 2.0” — working to compromise the front office networks of industrial firms. This activity is confined to the targeting, and in some cases compromise, of business networks by hackers largely through the deployment of phishing emails and strategic website compromises; also known as watering hole style attacks.
Though the information offered by the government may be helpful for some cybersecurity professionals, it is far from revelatory as a news item.
Hackers associated with adversarial nations, including Russia, North Korean and Iran, have and continue to send spearphishing emails to U.S. critical infrastructure companies in apparent efforts to gather intelligence.
“The alert is an important reminder that adversaries are showing great interest in energy and industrial control inside the U.S. and around the world,” said Sergio Caltagirone, director of threat intelligence with industrial control system focused cybersecurity firm Dragos. “Adversaries are now constantly attempting to compromise industrial companies. The activity described is limited to only business network access and we have knowledge of only a very small number of successful intrusions.
DHS’s alert, as well as related malicious cyber activity noticed by researchers who spoke with CyberScoop, effectively shows that sophisticated hacking groups are taking a clear interest in spying on companies that manage critical components of the American economy, including electrical distribution.
Although these hackers have yet to disrupt operations by, for example, invading physical control systems with malware, the potential for sabotage is real, experts say.
“This is a call to action to critical infrastructure providers to pay close attention,” explained Michael Daly, chief technology officer of the cybersecurity and special missions program with Raytheon. “This alert is telling us that these adversaries are successfully gaining a foothold across a range of American critical infrastructure sectors. It goes on to tell us that the mechanisms that are succeeding are multi-stage attacks that first go after networks and systems that critical infrastructure providers are not defending well, and then the adversaries are moving from those networks into key resources … the attacks succeed when users help the adversaries by not paying attention.”
Some security researchers cautioned over the weekend that the government’s alert must be taken seriously, but should not cause panic.
“There is no immediate threat to safety or reliability of industrial systems but it will not be this way forever,” Caltagirone said. “Preventing an intrusion will likely be impossible from determined and resourced adversaries and companies in the bulls eye of these groups must must focus on improving detection of malicious behaviors.”
While Dragonfly has been linked to the Russian government by the private sector, the alert avoids the topic of attribution. Instead, it provides some technical indicators and background information for defenders to become more aware of the threat posed by the group.
In the past, DragonFly’s tools were linked to several, actual power outages in Ukraine.
“This APT actor’s campaign has affected multiple organizations in the energy, nuclear, water, aviation, construction, and critical manufacturing sectors,” the alert reads. “DHS assesses this activity as a multi-stage intrusion campaign by threat actors targeting low security and small networks to gain access and move laterally to networks of major, high value asset owners within the energy sector. Based on malware analysis and observed IOCs, DHS has confidence that this campaign is still ongoing, and threat actors are actively pursuing their ultimate objectives over a long-term campaign.”
The specific espionage campaign detailed by DHS involves a total of roughly 10 different organizations that were targeted by DragonFly over the last several months, said Caltagirone. The focus is generally thought to be narrow and include both U.S. and Middle Eastern companies.
“To be honest, if a significant incident hadn’t occurred, if there hadn’t been some highly noticeable breach recently, then I doubt DHS would have even put this out,” Caltagirone told CyberScoop. “The techniques used here, the tactics, it’s the same thing we’ve been seeing for 10 years … espionage of this sort, you know, it’s just commonplace today.”
The question of whether the scale or volume of such digital espionage operations had increased in recent months is a bit more difficult question to answer, however. And it introduces other challenges with recordings metrics surrounding cyberattacks.
“We have to be really careful with this because it’s tough to accurately say whether there’s been a larger number of attacks or if information sharing, improved visibility and new technology has simply allowed us to see more of them,” Caltagirone said. “Maybe there’s been an uptick recently, but to what end? That’s what everyone is looking at.”
Generally speaking, experts say hackers are interested in spying on the energy, nuclear, water, aviation, and critical manufacturing sectors in order to do one of three things: steal business secrets like intellectual property, map out the victim’s IT infrastructure for future attacks or to siphon some other type of financially valuable user data.