A Russian government-linked hacker has infiltrated a dozen companies linked to the US power grid in recent months, a report from cybersecurity firm Symantec says.
The group behind the attack is known as Dragonfly, and has recently become active after years of radio silence. Symantec has been tracking the group since 2011, and exposed its attacks on Western companies back in 2014. “Dragonfly 2.0,” as Symantec is calling it, shares tools and techniques with the old group, but has particularly targeted the energy sector since its resurgence in 2015.
“The Dragonfly group appears to be interested in both learning how energy facilities operate and also gaining access to operational systems themselves, to the extent that the group now potentially has the ability to sabotage or gain control of these systems should it decide to do so,” Symantec wrote.
It’s often in the interests of security firms to play up the dangers of cyberattacks — Symantec’s blog post casually mentions that “Symantec customers are protected against the activities of the Dragonfly group” — but the prospect of a state actor attacking the national power grid is a worst-case-scenario for cyberwarfare, and Symantec is saying that it’s within the capabilities of a Russian-linked hacking group.
The report cites a mixture of techniques used to gain access, none of them revolutionary:
“Dragonfly 2.0 uses a variety of infection vectors in an effort to gain access to a victim’s network, including malicious emails, watering hole attacks, and Trojanized software. The earliest activity identified by Symantec in this renewed campaign was a malicious email campaign that sent emails disguised as an invitation to a New Year’s Eve party to targets in the energy sector in December 2015.
The group conducted further targeted malicious email campaigns during 2016 and into 2017. The emails contained very specific content related to the energy sector, as well as some related to general business concerns. Once opened, the attached malicious document would attempt to leak victims’ network credentials to a server outside of the targeted organization.”
“DHS is aware of the report and is reviewing it. At this time there is no indication of a threat to public safety,” a spokesperson said. “As always, DHS supports critical infrastructure asset owners and operators who request assistance with intrusions or potential intrusions to their networks.”