Hackers reportedly infiltrate deep into U.S. power grids

Dragonfly 2.0 intruders may be biding their time to sting energy control systems

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someonePrint this page

It start­ed off as a fake invi­ta­tion to a New Year’s Eve par­ty, emailed to ener­gy sec­tion employ­ees. It end­ed with hack­ers tak­ing screen shots of pow­er grid con­trol com­put­er screens. Well, we can only hope it end­ed there.

Bob Sul­li­van, jour­nal­ist and one of the found­ing mem­bers of msnbc.com

Syman­tec Corp. released an alarm­ing report last week claim­ing that a group of pow­er grid hack­ers it calls Drag­on­fly 2.0 have made their most suc­cess­ful raid into crit­i­cal infra­struc­ture com­put­ers in the Unit­ed States and around the world.

The ener­gy sec­tor in Europe and North Amer­i­ca is being tar­get­ed by a new wave of cyber attacks that could pro­vide attack­ers with the means to severe­ly dis­rupt affect­ed oper­a­tions,” Syman­tec wrote in its report.

Relat­ed video: How Russ­ian mil­i­tary tac­tics were used to hack a retailer

In a chill­ing state­ment to Wired, Syman­tec secu­ri­ty ana­lyst Eric Chien said the inci­dent means the intrud­ers are, as the moment, capa­ble of caus­ing dis­rup­tions and pow­er out­ages as they wish. They are just wait­ing for the right moment.

Eric Chien, Syman­tec secu­ri­ty analyst

There’s a dif­fer­ence between being a step away from con­duct­ing sab­o­tage and actu­al­ly being in a posi­tion to con­duct sab­o­tage … being able to flip the switch on pow­er gen­er­a­tion,” Chien said. “We’re now talk­ing about on-the-ground tech­ni­cal evi­dence this could hap­pen in the U.S., and there’s noth­ing left stand­ing in the way except the moti­va­tion of some actor out in the world.”

Group long under surveillance

Secu­ri­ty researchers have been watch­ing Drag­on­fly for years, claim­ing the group has been prob­ing ener­gy sec­tor machines since at least 2011. Syman­tec says it went dark until a re-emer­gence in late Decem­ber 2015, when the New Year’s Eve par­ty invite went out. There is “a dis­tinct increase in activ­i­ty in 2017,” Syman­tec said.

The Drag­on­fly 2.0 cam­paigns show how the attack­ers may be enter­ing into a new phase, with recent cam­paigns poten­tial­ly pro­vid­ing them with access to oper­a­tional sys­tems, access that could be used for more dis­rup­tive pur­pos­es in the future,” accord­ing to the report

Syman­tec doesn’t say where Drag­on­fly is from—and its report shows the hack­ers might be inten­tion­al­ly try­ing to con­fuse inves­ti­ga­tors. But late last year, the Depart­ment of Home­land Secu­ri­ty claimed Dragonfly’s ori­gins were Russ­ian, and it was one of sev­er­al groups work­ing to “com­pro­mise and exploit net­works and end­points asso­ci­at­ed with the U.S. elec­tion, as well as a range of U.S. Gov­ern­ment, polit­i­cal, and pri­vate sec­tor entities.”

Dis­turb­ing intel

Syman­tec says the most con­cern­ing evi­dence found dur­ing its analy­sis were the screen captures.

In one par­tic­u­lar instance, the attack­ers used a clear for­mat for nam­ing the screen cap­ture files, [machine descrip­tion and location].[organization name]. The string “cntrl” (con­trol) is used in many of the machine descrip­tions, pos­si­bly indi­cat­ing that these machines have access to oper­a­tional sys­tems,” it said.

Syman­tec links the ini­tial hack­er cam­paign to this more recent spate of attacks because there are sim­i­lar­i­ties in the mal­ware used. The Drag­on­fly cam­paigns that began in 2011 “now appear to have been a more explorato­ry phase,” Syman­tec said.

Hack not entire­ly unexpected

What (the group) plans to do with all this intel­li­gence has yet to become clear, but its capa­bil­i­ties do extend to mate­ri­al­ly dis­rupt­ing tar­get­ed orga­ni­za­tions should it choose to do so,” the firm claims.

Omer Schnei­der, CEO and co-founder of secu­ri­ty firm CyberX, said this type of attack is inevitable.

Why is every­one so sur­prised?” Schnei­der said. “As ear­ly as 2014, the ICS-CERT warned that adver­saries had pen­e­trat­ed our con­trol net­works to per­form cyber espi­onage. Over time the adver­saries have got­ten even more sophis­ti­cat­ed and now they’ve stolen cre­den­tials that give them direct access to con­trol sys­tems in our ener­gy sec­tor. If I were a for­eign pow­er, this would be a great way to threat­en the U.S. while I invade oth­er coun­tries or engage in oth­er aggres­sive actions against U.S. allies.”

More sto­ries about nation­al secu­ri­ty and cyber attacks:
What will future cyber war­fare look like?
The nation­al secu­ri­ty night­mare the can­di­dates aren’t talk­ing about
Threat of cyber attack on crit­i­cal infra­struc­ture is real, present danger


Posted in Featured Story