A hacking group has grown bolder and gained access to operational controls of US electric companies, according to Symantec researchers.
6 September 2017
A hacker group linked to the Russian government has acquired an unprecedented level of access to companies that supply power to the US power grid, a cybersecurity firm says.
Symantec, a California-based firm that provides cybersecurity services and worldwide research against online threats, says the group, which it’s nicknamed Dragonfly 2.0, may have compromised more than a dozen American companies in recent months.
Dragonfly – also called Crouching Yeti, or Energetic Bear, depending on which researcher you talk to – was an established hacker group that attacked energy sector targets around the world from at least 2011 until 2014, when it went quiet after its tactics were exposed by public research. Researchers at Symantec have declined to specifically cite Russia as the culprit, though they do say it’s a state-sponsored attack. Researchers at other firms, like CrowdStrikeand FireEye, have tied Dragonfly to the Russian government.
“This is the first time we’ve seen this scale, this aggressiveness, and this level of penetration in the US, for sure,” Eric Chien, technical director of Symantec’s Security Technology & Response Division, told BuzzFeed News.
“What we’re seeing is them getting into dozens, as far as we know, likely more, of organizations who are basically energy companies. We’re talking about organizations who are supplying power to the power grid,” Chien said.
It’s not uncommon for nation-state hackers to penetrate administrative and business networks of energy companies in the US or elsewhere. But Dragonfly has gained access to multiple operational networks in the US, Symantec says, an unprecedented level of compromise. Previously, such penetrations are known to have happened only in places like Ukraine, where hackers once remotely turned off circuit breakers, leaving nearly a quarter million people without power; Russians are also suspected in that incident, though there’s no evidence the same attackers are behind Dragonfly.
Attributing attacks to Dragonfly hackers has become harder, Chien said, because the group has taken to using publicly available hacker tools, like phishery or Shellter, to do much of their work. Symantec, however, has a high level of confidence that this latest Dragonfly campaign has accessed “dozens” of energy companies in the US, Switzerland, and Turkey.
Particularly worrying, Chien said, is that Dragonfly’s attacks have largely been aimed at gaining high level credentials for operational systems. “Even after you go in and remove all this malware off your networks,” he said, if a company hasn’t changed their login credentials, “they log into the system, then simply remotely control the system.”
Often such systems run Windows and use software called human machine interfaces, which give a clear picture of the equipment a given computer controls. “You literally can either switch things off or potentially cause something like a power surge into the power grid,” Chien said.
The Department of Homeland Security said it was aware of the intrusions.
“DHS is aware of the report and is reviewing it. At this time there is no indication of a threat to public safety,” DHS spokesperson Scott McConnell told BuzzFeed News.
“As always, DHS supports critical infrastructure asset owners and operators who request assistance with intrusions or potential intrusions to their networks.”