Hacker raid on energy companies for secrets raises sabotage fears

'Dragonfly' hackers target utilities as part of three-pronged cyber espionage project.
Written by Steve Ranger, Global News Director

In yet more evidence of the rising tide of cyber espionage, criminals have gained access to vital systems across potentially hundreds of European energy companies using a sophisticated three-pronged campaign of hacking — potentially allowing them to disrupt energy supplies across the region.

The wide-ranging attacks were organised by a group working out of eastern Europe — likely state-sponsored — seem to have focused on espionage, however the intrusions also gave the attackers the ability "to mount sabotage operations against their victims", Symantec said.

According to the security company, if the group — dubbed Dragonfly — had used the sabotage capabilities at its disposal, it "could have caused damage or disruption to energy supplies in affected countries".

Dragonfly's targets were energy grid operators, electricity generation firms, petroleum pipeline operators, and energy industry industrial equipment providers, Symantec said. Victims were located in the US, Spain, France, Italy, Germany, Turkey, and Poland.

"Dragonfly bears the hallmarks of a state-sponsored operation, displaying a high degree of technical capability," Symantec said. "Its current main motive appears to be cyber-espionage, with potential for sabotage a definite secondary capability."

While cyber espionage is widespread, the suggestion that the hacking could have left companies at threat of sabotage is especially worrying. Experts have warned that a number of states have been probing the critical infrastructure of other nations to catalogue weaknesses that could be exploited if hostilities were ever to occur. In response to the use of digital attacks in recent international conflicts, NATO has updated its cyber defence policy to make it clear that, in certain circumstances, a cyber assault could be treated as the equivalent of an attack with conventional weapons.

Symantec said the Dragonfly group appears to have previously targeted defence and aviation companies in the US and Canada before shifting its focus mainly to US and European energy firms early last year.

Its recent campaign had three phases: first, the group sent phishing emails containing malware to personnel in target firms — mainly US and UK energy companies. These emails, with PDF attachments, claimed to be messages about standard office admin such as dealing with an account or problems with a delivery.

A second phase saw the hackers compromising websites likely to be visited by those working in the energy sector, in order to redirect them to websites hosting an exploit kit which would then deliver malware to the victim's computer.

But the most ambitious attack in the campaign saw the hackers compromise a number of industrial control system (ICS) equipment providers, infecting their software. As a result, when energy companies downloaded the ICS software, they would also be installing the malware. Before one vendor discovered had happened, there had already been 250 downloads of the compromised software.

Other firms targeted included a company that manufactured programmable logic controller devices and a business that developed systems to manage wind turbines, biogas plants, and other energy infrastructure.

"These infections not only gave the attackers a beachhead in the targeted organisations' networks, but also gave them the means to mount sabotage operations against infected ICS computers," Symantec noted.

Symantec said its research shows the group worked between Monday and Friday, with activity mainly concentrated in a nine-hour period that corresponded to a 9am to 6pm working day in the UTC +4 time zone. "Based on this information, it is likely the attackers are based in Eastern Europe," it said.

The hackers used two main pieces of malware in their attacks which gave the attackers control of compromised computers. 'Oldrea' which Symantec said appears to be custom malware, either written by the group itself or created for it, gathers system information, along with lists of files, programs installed, and root of available drives. The second piece of malware used — Trojan.Karagany — had similar effects but is more generally available on the underground market.

Further reading

Editorial standards