Hack attack on energy companies raises sabotage fears

Phishing, watering holes and malware are being used to steal credentials which could be used to tamper with energy supplies.
Written by Danny Palmer, Senior Writer
Aryut Tantisoontornchai, Getty Images/iStockphoto

Over two dozen energy companies and utility providers in the US and Europe have been attacked as part of a cyber espionage campaign which looks to infiltrate the control systems of power supply systems.

The Dragonfly attack group - also known as Energetic Bear and Crouching Yeti - has been operating since 2011 but appeared to cease activity after being exposed in 2014.

But after a break of almost two years, the group resumed operations and Dragonfly 2.0 deployed spear-phishing emails, watering hole attacks and a range of malware in an effort to infect energy companies.

Researchers at Symantec have uncovered "strong indications" of attacker activity in a number of organisations around the world, including 20 in the US, six organisations in Turkey and one in Switzerland.

The revived attacks began as an invitation to a New Year's Eve party to targets in the energy sector in December 2015 and further malicious emails were distributed throughout 2016 and into 2017. Many of these messages were disguised to look like job applications and invitations to events relevant to the energy sector.

If opened and run, the malicious attachment contained within the email dropped the Phishery trojan to steal victims' credentials via a template injection attack.

In addition to the phishing emails, the Dragonfly group harnesses watering hole attacks to steal credentials by compromising websites likely to be visited by those working in nuclear and energy.

"The Dragonfly group compromised strategic websites related to the energy sector and planted their malware on the website, and did not use any zero day vulnerabilities in order to infect computers," Candid Wüest, threat researcher at Symantec, told ZDNet.

"We have also found evidence that trojanized software packages were also used, like files masquerading as Flash updates which would install malicious backdoors onto target networks - a likely tactic would be to use social engineering to convince a victim they needed to download an update for their Flash player," he added.

Whichever way hackers managed to steal credentials, they're used to conduct follow-up attacks against the follow-up organization. In once instance - against an unspecified target - a victim became infected after visiting one of the compromised sites. Eleven days later, the attackers installed a Goodor trojan onto the compromised machine, allowing remote access to everything on the system.

Other backdoors installed into systems include the Karagany B, Dorshell and Heriplor Trojans. The Dragonfly is the only group thought to use the Heriplor Trojan, which makes the presence of that code one of the strongest indicators that these attacks are being carried out by the same group which targeted the Western energy sector between 2011 and 2014.

While campaign appears to be carrying out reconnaissance for now, it's not beyond the realms of possibility that the attackers could use the credentials to sabotage operations.

"The Dragonfly group appears to be interested in both learning how energy facilities operate and also gaining access to operational systems themselves, to the extent that the group now potentially has the ability to sabotage or gain control of these systems should it decide to do so," Symantec said.

"Sabotaging of the operations of energy providers would cause great disruption to large numbers of people, as was seen with the compromise of Ukraine's power system in 2015 and 2016. The impact of an attack against an atomic energy provider could potentially be a lot worse," said Wüest.

Researchers haven't been able to specifically identify those behind the attacks, but note "this is clearly an accomplished attack group" which seems to have put effort into not being able to be identified.

Some of the code strings in the malware used in attacks were Russian, but there's also strings in French. Researchers say at least one of those languages is likely to be a false-flag designed to hide the tracks of the attackers.

"Leaving false flags and traces in attack tools has become common for sophisticated and nation state sponsored attack groups. This behavior shows that the attackers are well aware that their attacks will get discovered and analyzed at one point in time," said Wüest.

What is clear is that Dragonfly's ability to successfully compromise organisations in the energy sector, steal information and gain access to key systems indicates it's a highly professional operation.

Researchers have chosen to publicly talk about the campaign in order to raise awareness because attacks are still ongoing and organizations in the energy sector are at risk.


Editorial standards