A series of sophisticated computer intrusions at electric companies and nuclear-plant operators this year has been traced back to a hacking group called âDragonflyâ and âEnergetic Bearâ thatâs been previously linked to Russia, according to a new report from the computer-security company Symantec, which has seen about 100 such breaches since the start of the year, half of them in the U.S.
The finding is potentially worrisome, because Dragonfly is one of very few hacking groups to evince expertise in power-grid control networksâthe computerized systems that turn off and on circuit breakers. A separate Russia-linked hacking operation has twice demonstrated the Kremlinâs ability and willingness to use that kind of expertise to cause electrical blackoutsâonce in December 2015, and a second time a year later, both in Ukraine. Symantec believes the U.S. breaches may be moving into similar terrain.
âThe original Dragonfly campaigns now appear to have been a more exploratory phase where the attackers were simply trying to gain access to the networks of targeted organizations,â the Symantec report concludes. Now, âthe attackers may be entering into a new phase, with recent campaigns potentially providing them with access to operational systems, access that could be used for more disruptive purposes in future.â
So far, though, the U.S. intrusions have been about gathering intelligenceâ technical diagrams, reports, passwords, crypto keysâmostly from administrative networks that donât control equipment. In only a handful of the breaches did the intruders make their way to the plant control network. But Vikram Thakur, technical director at Symantec, points out they werenât quick to leave.
âThe ones where the attackers were able to get on the operational side of the house were the scariest to us,â says Thakur. âWeâve seen them get on these operational computers and start taking rapid-fire screenshots. Some would show maps of whatâs connected to what.â
If Thakur worries the attackers are moving from spying to outright disruption, he concedes that heâs not a specialist in power-grid control systems. Robert Lee, CEO of Dragos, is such a specialist, and he says heâs seen no evidence that Dragonfly is doing anything that it hasnât always done: poking around and gathering information.
âIt is very concerning to see threat actors targeting the U.S. energy sector,â says Lee. âBut we have to be very careful in assuming adversary intent and motivations⊠Weâve seen no indication that thereâs an ability to take down infrastructure. Of course, we donât want them to have that option.â
The latest wave of energy company attacks drew attention last July, after the FBI and DHS issued an industry advisory warning that unknown hackers were specifically targeting engineers as a way of worming into U.S. energy companies, including some nuclear plants.
The perpetrators in the attacks have perfected a two-pronged approach. In some hacks, they send fake rĂ©sumĂ©s or party invitations to engineers and their managers as Microsoft Word files, specially crafted to leak the victimâs Windows credentials to the attackerâs machine. The second, more insidious approach, involves hacking third-party websites frequented by control-system engineers, such as industry journals and magazines. By planting a single line on the websiteâs code, the attackers can target any of the siteâs visitors with malware. Called a âwatering holeâ attack, one security expert says at least 60 engineering-related sites have been used in the energy attacks so far.
The attackers are professional and well-organized, but because they make copious use of open-source code and tools available in the computer underground it was difficult to link them strongly to previously known operations. In its new report, Symantec says it finally got the goods on the hackers, in part because they were caught deploying a version of a backdoor program called Heriplor previously used by only one other group, Dragonfly.
Dragonfly was already the obvious suspect. The group was infamous for attacking energy companies around the world beginning in late 2011, using the same techniques now seen in the nuclear hacks. In 2014, Symantec discovered the hacking and published the first report on Dragonfly; Crowdstrike identified the operation as originating in Russia.
After the public exposure, Dragonfly seemed to disappear, according to Symantec. But working backward from the 2017 attacks, Symantec says it has found evidence that the hackers began quietly deploying their new watering hole and Microsoft Word ploys in Europe, along with familiar tricks like backdooring commercial software. This year, they brought the new campaign to U.S. with a vengeance.
Dragonfly has always been focused on control networks, including a crucial technology called SCADA, for Supervisory Control and Data Acquisition. A SCADA network is essentially an electronic nervous system that allows operators to remotely monitor and control all the pumps, motors, relays, and valves that undergird societyâs infrastructure. The technology grew out of the electric industry beginning in the 1940s as a solution to the growing complexity of power distribution, which requires constant monitoring and adjustment of equipment at thousands of substations scattered around the country. Rather than keep technicians at every site, utilities began connecting the substation equipment to meters and knobs at centralized control centers, first by wire, later by radio, and today over serial ports and digital networks, with graphical computer controls replacing the meters and knobs.
SCADA systems have been plagued by insecurity, and some security experts have been warning for years that attackers could eventually cause a blackout. It finally happened in December 2015, when the hacking operation dubbed Sandwormâwhich has been linked to the Russian governmentâsuccessfully attacked a Ukrainian power plant and triggered a blackout that left 225,000 people without power.
Last year, a second attack by the same hackers plunged a portion of Kiev into darkness for about an hour. That attack used previously unseen malware built specifically to manipulate power-plant networks.
