Dragonfly Hackers ‘Could Plunge Europe Into Darkness’

Security firm Symantec has warned of a resurgence in cyber attacks on European and US energy companies, which could result widespread power outages.

This is because Symantec said the hackers are using “highly sophisticated attempts to control – or even sabotage – operational systems at energy facilities.”

The hackers, known as Dragonfly (or Energetic Bear) were first revealed to the world back in 2014 by Symantec and other researchers, after they had carried out a widespread campaign on a number of energy firms.

Power Disruption

Since 2014, the Dragonfly hackers have largely maintained a low profile. That said, they mostly been targetting businesses in the US, Spain, France, Italy, Germany, Turkey and Poland, and have managed to compromise industrial control systems (ICS) used to control sections of power plants.

The group itself is thought to have been in operation since at least 2011 and is based in Russia. It had initially targeted defence and aviation companies in the US and Canada before it moved its crosshairs over to energy firms.

And now according to Symantec, the energy sector in Europe and North America is once again being targeted by a new wave of cyber attacks “that could provide attackers with the means to severely disrupt affected operations.”

These new wave of cyber attacks began in December 2015, but have been ramping up significantly in 2017.

The crippling nature of these attacks has been amply demonstrated by the widespread disruptions to Ukraine’s power system in 2015 and 2016.

“The successful sabotage of an energy company could mean mass power outages, total shutdown of electrical grids, disruption to utilities or worse,” said Symantec.

It said that in recent months there has been attempted attacks on the electricity grids in some European countries, as well as reports of companies that manage nuclear facilities in the US.

“The Dragonfly group appears to be interested in both learning how energy facilities operate and also gaining access to operational systems themselves, to the extent that the group now potentially has the ability to sabotage or gain control of these systems should it decide to do so,” Symantec warned.

“As it did in its prior campaign between 2011 and 2014, Dragonfly 2.0 uses a variety of infection vectors in an effort to gain access to a victim’s network, including malicious emails, watering hole attacks, and Trojanized software.

“The original Dragonfly campaigns now appear to have been a more exploratory phase where the attackers were simply trying to gain access to the networks of targeted organisations. The Dragonfly 2.0 campaigns show how the attackers may be entering into a new phase, with recent campaigns potentially providing them with access to operational systems, access that could be used for more disruptive purposes in future.

Critical Infrastructure

“What is clear is that Dragonfly is a highly experienced threat actor, capable of compromising numerous organisations, stealing information, and gaining access to key systems. What it plans to do with all this intelligence has yet to become clear, but its capabilities do extend to materially disrupting targeted organisations should it choose to do so.”

Last month Corero Network Security warned that more than one-third of critical infrastructure organisations have admitted to skipping basic IT security precautions.

And in July the National Cyber Security Centre (NCSC) acknowledged it was investigating a broad wave of attacks on companies in the British energy and manufacturing sectors.

Those attacks are “likely” to have compromised some industrial control systems in the UK, the NCSC warned.

The US Department of Energy (DOE) has previously acknowledged those attacks, but said only administrative systems, and not industrial control systems, had been targeted.

Quiz: Do you know all about security in 2017?