Sophisticated hackers stepped up a cyber espionage campaign targeting US and European energy companies, giving the attackers the ability to potentially cause blackouts whenever they want.
The attackers, a group called Dragonfly, has been conducting cyberattacks on energy companies for years – since at least 2011. The group went quiet after being exposed in 2014. The Dragonfly 2.0 campaign first started by at least December 2015. But over the last year, using malicious email campaigns to harvest network credentials, the hackers managed to penetrate energy firms in the U.S., Switzerland and Turkey. According to a new report by Symantec, they now have the ability to “severely disrupt affected operations.”
Earlier Dragonfly campaigns are believed “to have been more of an exploratory phase,” but Symantec is concerned Dragonfly 2.0 campaigns could be aimed at “access to operational systems, access that could be used for more disruptive purposes in the future.” Put another way, “The group now potentially has the ability to sabotage or gain control of these systems should it decide to do so.”
In some cases in the US and Turkey, the attackers burrowed deep enough to take screenshots of control panels. When it comes to the potential for sabotage, Symantec wrote:
The most concerning evidence of this is in their use of screen captures. In one particular instance the attackers used a clear format for naming the screen capture files, [machine description and location].[organization name]. The string “cntrl” (control) is used in many of the machine descriptions, possibly indicating that these machines have access to operational systems.
That’s the “final step” before sabotage.
Symantec security analyst Eric Chien told Wired, “There’s a difference between being a step away from conducting sabotage and actually being in a position to conduct sabotage … being able to flip the switch on power generation. We’re now talking about on-the-ground technical evidence this could happen in the US, and there’s nothing left standing in the way except the motivation of some actor out in the world.”
“If these attacks are from a nation state,” Chien added, “one would expect sabotage only in relation to a political event.”
Symantec didn’t go so far as to point the finger of blame at any specific nation-state hackers such as from Russia. It did, however, note that some code strings in the malware were in Russian and some were in French. The language clues could just as easily be false flags to send researchers in the wrong direction.
“What is clear is that Dragonfly is a highly experienced threat actor, capable of compromising numerous organizations, stealing information, and gaining access to key systems,” Symantec wrote. “What it plans to do with all this intelligence has yet to become clear, but its capabilities do extend to materially disrupting targeted organizations should it choose to do so.”
Tone down the FUD?
Not all security researchers agree with Symantec’s findings. For example, Robert M. Lee, founder of critical infrastructure security firm Dragos Inc, told Reuters the attacks were “far from the level of being able to turn off the lights, so there’s no alarmism needed.” According to Lee, the connection to Dragonfly is “loose.”