US Energy Firms Report Cyber Attacks

Thomas Brewster,
Power grid

Concern over digital safety of energy firms grows amidst reports of targeted attacks

Amidst heightened concern about the digital safety of Western energy companies, a number of utilities suppliers in the US have reported cyber incidents over the last year.

The affected utilities were subsidiaries of ITC Holdings, Duke Energy and NRG Energy, according to a report in the Wall Street Journal. All had filed a report to the US Energy Department on suspected cyber attacks.

At the start of the week, Symantec released research detailing a widespread cyber campaign on a number of energy firms, claiming  the attackers could have used their control over their targets to cause “damage or disruption to energy supplies in affected countries.”

Fotolia: Virtual tanks attacking computer data © maninblack #33281402Dragonfly energy firm attacks

The so-called “Dragonfly” hackers, also known as Energetic Bear, largely went after businesses in the US, Spain, France, Italy, Germany, Turkey and Poland. They managed to compromise industrial control systems (ICS) used to control sections of power plants

It’s been suggested the group, which has been in operation since at least 2011, is based in Russia. It initially targeted defence and aviation companies in the US and Canada before it moved its crosshairs over to energy firms.

“Dragonfly bears the hallmarks of a state-sponsored operation, displaying a high degree of technical capability. The group is able to mount attacks through multiple vectors and compromise numerous third party websites in the process,” Symantec said in a blog post.

“Dragonfly has targeted multiple organisations in the energy sector over a long period of time. Its current main motive appears to be cyber espionage, with potential for sabotage a definite secondary capability.”

The US government has issued warnings about the activity of the group and the malware its using, known as Havex or the Energetic Bear RAT.

The Industrial Control Systems Cyber Emergency Response Team (ICS-CERT), which is funded by the Department of Homeland Securty, noted the hackers were using phishing emails, redirects to compromised websites and trojanised update installers on at least three lCS vendor websites to infect companies with Havex.

“ICS-CERT strongly recommends that organizations check their network logs for activity associated with this campaign,” the body said in an advisory. “Any organisation experiencing activity related to this report should preserve available evidence for forensic analysis and future law enforcement purposes.”

What do you know about Internet security? Find out with our quiz!