It started off as a fake invitation to a New Year’s Eve party, emailed to energy section employees. It ended with hackers taking screen shots of power grid control computer screens. Well, we can only hope it ended there.
Symantec Corp. released an alarming report last week claiming that a group of power grid hackers it calls Dragonfly 2.0 have made their most successful raid into critical infrastructure computers in the United States and around the world.
"The energy sector in Europe and North America is being targeted by a new wave of cyber attacks that could provide attackers with the means to severely disrupt affected operations,” Symantec wrote in its report.
In a chilling statement to Wired, Symantec security analyst Eric Chien said the incident means the intruders are, as the moment, capable of causing disruptions and power outages as they wish. They are just waiting for the right moment.
"There’s a difference between being a step away from conducting sabotage and actually being in a position to conduct sabotage … being able to flip the switch on power generation,” Chien said. “We’re now talking about on-the-ground technical evidence this could happen in the U.S., and there’s nothing left standing in the way except the motivation of some actor out in the world.”
Group long under surveillance
Security researchers have been watching Dragonfly for years, claiming the group has been probing energy sector machines since at least 2011. Symantec says it went dark until a re-emergence in late December 2015, when the New Year’s Eve party invite went out. There is “a distinct increase in activity in 2017,” Symantec said.
"The Dragonfly 2.0 campaigns show how the attackers may be entering into a new phase, with recent campaigns potentially providing them with access to operational systems, access that could be used for more disruptive purposes in the future,” according to the report
Symantec doesn’t say where Dragonfly is from—and its report shows the hackers might be intentionally trying to confuse investigators. But late last year, the Department of Homeland Security claimed Dragonfly’s origins were Russian, and it was one of several groups working to “compromise and exploit networks and endpoints associated with the U.S. election, as well as a range of U.S. Government, political, and private sector entities.”
Symantec says the most concerning evidence found during its analysis were the screen captures.
"In one particular instance, the attackers used a clear format for naming the screen capture files, [machine description and location].[organization name]. The string “cntrl” (control) is used in many of the machine descriptions, possibly indicating that these machines have access to operational systems,” it said.
Symantec links the initial hacker campaign to this more recent spate of attacks because there are similarities in the malware used. The Dragonfly campaigns that began in 2011 “now appear to have been a more exploratory phase,” Symantec said.
Hack not entirely unexpected
"What (the group) plans to do with all this intelligence has yet to become clear, but its capabilities do extend to materially disrupting targeted organizations should it choose to do so,” the firm claims.
Omer Schneider, CEO and co-founder of security firm CyberX, said this type of attack is inevitable.
"Why is everyone so surprised?” Schneider said. “As early as 2014, the ICS-CERT warned that adversaries had penetrated our control networks to perform cyber espionage. Over time the adversaries have gotten even more sophisticated and now they’ve stolen credentials that give them direct access to control systems in our energy sector. If I were a foreign power, this would be a great way to threaten the U.S. while I invade other countries or engage in other aggressive actions against U.S. allies.”