News, Culture & Society

Hackers gain access to US and European power firms

Advanced hackers have targeted United States and European energy companies in a cyber espionage campaign that has in some cases successfully broken into the core systems that control the companies’ operations, according to researchers at the security firm Symantec.

Malicious email campaigns have been used to gain entry into organizations in the United States, Turkey and Switzerland, and likely other countries well, Symantec said in a report published on Wednesday.

The cyber attacks, which began in late 2015 but increased in frequency in April of this year, are probably the work of a foreign government and bear the hallmarks of a hacking group known as Dragonfly, Eric Chien, a cyber security researcher at Symantec, said in an interview.

Hackers have targeted US and European energy companies in a cyber espionage campaign that has in some cases successfully broken into core systems, says Symantec.

WHO IS BEHIND IT? 

Symantec did not name Russia in its report but noted that the attackers used code strings that were in Russian. 

Other code used French, Symantec said, suggesting the attackers may be attempting to make it more difficult to identify them.

The firm says the attacks are probably the work of a foreign government and bear the hallmarks of a hacking group known as Dragonfly.

The research adds to concerns that industrial firms, including power providers and other utilities, are susceptible to cyber attacks that could be leveraged for destructive purposes in the event of a major geopolitical conflict.

In June the U.S. government warned industrial firms about a hacking campaign targeting the nuclear and energy sectors, saying in an alert seen by Reuters that hackers sent phishing emails to harvest credentials in order to gain access to targeted networks.

Chien said he believed that alert likely referenced the same campaign Symantec has been tracking.

He said dozens of companies had been targeted and that a handful of them, including in the United States, had been compromised on the operational level. 

That level of access meant that motivation was ‘the only step left’ preventing ‘sabotage of the power grid,’ Chien said.

However, other researchers cast some doubt on the findings.

Researchers say dozens of companies had been targeted and that a handful of them, including in the United States, had been compromised on the operational level.

Researchers say dozens of companies had been targeted and that a handful of them, including in the United States, had been compromised on the operational level.

While concerning, the attacks were ‘far from the level of being able to turn off the lights, so there’s no alarmism needed,’ said Robert M. Lee, founder of U.S. critical infrastructure security firm Dragos Inc, who read the report.

Lee called the connection to Dragonfly ‘loose.’

Dragonfly was previously active from around to 2011 to 2014, when it appeared to go dormant after several cyber firms published research exposing its attacks. 

WHAT COULD THEY BE PLANNING? 

Sabotage attacks are typically preceded by an intelligence-gathering phase where attackers collect information about target networks and systems and acquire credentials that will be used in later campaigns. 

The most notable examples of this are Stuxnet and Shamoon, where previously stolen credentials were subsequently used to administer their destructive payloads, Symantec says

The original Dragonfly campaigns now appear to have been a more exploratory phase where the attackers were simply trying to gain access to the networks of targeted organizations. 

The Dragonfly 2.0 campaigns show how the attackers may be entering into a new phase, with recent campaigns potentially providing them with access to operational systems, access that could be used for more disruptive purposes in future.

The most concerning evidence of this is in their use of screen captures. In one particular instance the attackers used a clear format for naming the screen capture files, [machine description and location].[organization name]. The string “cntrl” (control) is used in many of the machine descriptions, possibly indicating that these machines have access to operational systems.

 

The group, also known as Energetic Bear or Koala, was widely believed by security experts to be tied to the Russian government.

Symantec did not name Russia in its report but noted that the attackers used code strings that were in Russian. 

Other code used French, Symantec said, suggesting the attackers may be attempting to make it more difficult to identify them.

Read more at DailyMail.co.uk