London/Berlin: A Russian group of hackers known as Energetic Bear is attacking energy companies in the US and Europe and may be capable of disrupting power supplies, cybersecurity researchers said.
The hackers, also called Dragonfly, appear to have the resources, size and organization that suggest government involvement, security company Symantec Corp. said in a blog post on Monday. The attackers are targeting grid operators, petroleum pipeline operators, electricity generation firms and other strategically important energy companies, it said.
Those group’s activities highlight the increasing reach of cyberattacks as ever-larger parts of the economy become connected and controlled via the Web. They may also be symptomatic of governments using hacking to support political strategies. More than half of the infections found were in the US and Spain, Symantec said, while Serbia, Greece, Romania, Poland, Turkey, Germany, Italy and France were also targeted.
The hackers, who have been active since at least 2011, appeared to work a standard week, operating 9am to 6pm, Monday through Friday, in a time zone shared by Russia and other eastern European countries, Symantec said.
The group has a nexus to the Russian Federation, according to report published in January by Irvine, California- based CrowdStrike, which focuses on identifying web adversaries. The hackers also targeted academics globally, European governments, defense contractors and US health-care providers, it said. Helsinki-based security firm F-Secure Oyj noticed the group’s focus shifting to industrial control systems earlier this year, according to a 23 June blog post.
It’s unclear whether a state is directly involved or if the group is trying to sell to a government, Eric Chien, chief researcher at Symantec’s Security Technology and Response Team, said in an interview.
The Dragonfly group is well resourced, with a range of malware tools at its disposal and is capable of launching attacks through a number of different vectors, Symantec said. These infections not only gave attackers a beachhead in the targeted organizations’ networks, but also gave them the means to mount sabotage operations.
When they do have that type of access, that motivation wouldn’t be for espionage, Chien said. When we look at where they’re at, we’re very concerned about sabotage.
Symantec started actively monitoring Dragonfly’s activities in 2012, when the attacks only looked like espionage, Chien said. Some of the group’s malware infiltrates remote access software used by energy companies, giving attackers the same privileges as an industrial control system.
Cyber-spies are targeting utility companies all over the world. Dragonfly’s tactics are similar to the Stuxnet attacks, a computer virus that was found to target Iranian nuclear facilities in 2010, Symantec said. That malware targeted software made by Siemens AG, among others.
The Federal Bureau of Investigation (FBI) discovered a Chinese hacker, called UglyGorilla, seeking access to parts of a US utility company’s systems that would let him cut off heat or damage pipelines. He and others working for the Chinese People’s Liberation Army were indicted by a US grand jury in May for computer fraud and economic espionage.
The worst-case scenario would be that the systems get shut down, Chien said. You could see the power go out, for example, and there could be disruption in that sense. Bloomberg