A Russian group of hackers known as “Energetic Bear” is attacking energy companies in the U.S. and Europe and may be capable of disrupting power supplies, cybersecurity researchers said.
The hackers, also called “Dragonfly,” appear to have the resources, size and organization that suggest government involvement, security company Symantec Corp. said in a blog post yesterday. The attackers are targeting grid operators, petroleum pipeline operators, electricity generation firms and other “strategically important” energy companies, it said.
Those group’s activities highlight the increasing reach of cyberattacks as ever-larger parts of the economy become connected and controlled via the Web. They may also be symptomatic of governments using hacking to support political strategies. More than half of the infections found were in the U.S. and Spain, Symantec said, while Serbia, Greece, Romania, Poland, Turkey, Germany, Italy and France were also targeted.
The hackers, who have been active since at least 2011, appeared to work a standard week, operating 9 a.m. to 6 p.m., Monday through Friday, in a time zone shared by Russia and other eastern European countries, Symantec said.
The group has a “nexus to the Russian Federation,” according to report published in January by Irvine, California-based CrowdStrike, which focuses on identifying web “adversaries.” The hackers also targeted academics globally, European governments, defense contractors and U.S. health-care providers, it said. Helsinki-based security firm F-Secure Oyj noticed the group’s focus shifting to industrial control systems earlier this year, according to a June 23 blog post.
It’s unclear whether a state is directly involved or if the group is trying to sell to a government, Eric Chien, chief researcher at Symantec’s Security Technology and Response Team, said in an interview.
“The Dragonfly group is well resourced, with a range of malware tools at its disposal and is capable of launching attacks through a number of different vectors,” Symantec said. “These infections not only gave attackers a beachhead in the targeted organizations’ networks, but also gave them the means to mount sabotage operations.”
“When they do have that type of access, that motivation wouldn’t be for espionage,” Chien said. “When we look at where they’re at, we’re very concerned about sabotage.”
Symantec started actively monitoring Dragonfly’s activities in 2012, when the attacks only looked like espionage, Chien said. Some of the group’s malware infiltrates remote access software used by energy companies, giving attackers the same privileges as an industrial control system.
Cyber-spies are targeting utility companies all over the world. Dragonfly’s tactics are similar to the Stuxnet attacks, a computer virus that was found to target Iranian nuclear facilities in 2010, Symantec said. That malware targeted software made by Siemens AG, among others.
The FBI discovered a Chinese hacker, called UglyGorilla, seeking access to parts of a U.S. utility company’s systems that would let him cut off heat or damage pipelines. He and others working for the Chinese People’s Liberation Army were indicted by a U.S. grand jury in May for computer fraud and economic espionage.
Other incursions have spurred a debate in the Obama administration over whether and how to respond, and raised alarms among lawmakers briefed on the incidents.
“The worst-case scenario would be that the systems get shut down,” Chien said. “You could see the power go out, for example, and there could be disruption in that sense.”