Hacker group compromises US and European energy companies

The likely state-sponsored attackers infected industrial control systems and could have sabotaged energy supplies, says a Symantec report.

European and U.S. energy companies are the latest victims of cyber espionage, as a result of the kind of industrial control system attacks the Defense Department has been growing concerned about. Thought to be state-sponsored, the perpetrators achieved sabotage capabilities that could have been used to disrupt energy supplies in affected regions, according to a recently released Symantec report.

The group, known either as Dragonfly or Energetic Bear, initially targeted American and Canadian defense and aerospace companies before turning its attention toward American and European energy firms in early 2013, according to the report.

Spain and the United States received the most active infections, but researchers are theorizing that some U.S. infections were the result of collateral damage, or unintended infections – making European countries the primary targets. The Industrial Control Systems Cyber Emergency Response Team, a unit of the Homeland Security Department, has posted an advisory about the attacks and the vectors used.

The sophisticated hacking campaign featured several techniques, beginning with a spear phishing campaign directed against senior employees in the energy sector. In mid-2013, the group began to use watering hole attacks in order to insert Trojan malware into victims’ systems. The hackers were able to compromise multiple legitimate energy-related websites in order to do so.

However, the most troubling form of attack came later, when Dragonfly was able to compromise legitimate software packages used by industrial control system (ICS) providers. The group succeeded in infecting three manufacturers, and then inserted malware into updates sent by the manufacturers to clients. The clients then became infected themselves as they downloaded the software updates.

More than 250 clients downloaded the infected software from one of the providers alone, reports the Financial Times.

ICS includes supervisory control and data acquisition (SCADA) systems and distributed control systems (DCS) that are commonly used to automate physical industrial processes, such as those in the energy sector. Compromising this type of software significantly increases the risk of industrial sabotage.

“The attackers… if they had used the sabotage capabilities open to them, could have caused damage or disruption to the energy supply in the affected countries,” the report says.

The Symantec report found Cyrillic text and malware timestamps that corresponded to working times in the UTC +4 time zone, suggesting an Eastern European physical location. The group’s complex strategies and specific targets point to state sponsorship.

“Dragonfly bears the hallmarks of a state-sponsored operation, displaying a high degree of technical capability,” Symantec said in a press release. “Dragonfly has targeted multiple organizations in the energy sector over a long period of time. Its current main motive appears to be cyber espionage, with potential for sabotage a definite secondary capability.”

Protecting ICS remains a top priority for the U.S. military as those systems are crucial to operating critical infrastructure. In 2011, the Pentagon said acts of cyber sabotage, such as shutting down a power grid or hospital, could be considered an act of war.

The Air Force recently began an initiative to bring together Air Forces Cyber and Air Force Civil Engineer Center in order to protect its own ICS, linking cyber warriors that understand cyber-attacks with civil engineers that operate the systems.

And in February, the Army War College urged the Defense Department to secure SCADA and other industrial controls in its energy supply chain, which it said was vulnerable to attack.