A series of sophisticated computer intrusions at electric companies and nuclear-plant operators this year has been traced back to a hacking group called “Dragonfly” and “Energetic Bear” that’s been previously linked to Russia, according to a new report from the computer-security company Symantec, which has seen about 100 such breaches since the start of the year, half of them in the U.S.
The finding is potentially worrisome, because Dragonfly is one of very few hacking groups to evince expertise in power-grid control networks—the computerized systems that turn off and on circuit breakers. A separate Russia-linked hacking operation has twice demonstrated the Kremlin’s ability and willingness to use that kind of expertise to cause electrical blackouts—once in December 2015, and a second time a year later, both in Ukraine. Symantec believes the U.S. breaches may be moving into similar terrain.
“The original Dragonfly campaigns now appear to have been a more exploratory phase where the attackers were simply trying to gain access to the networks of targeted organizations,” the Symantec report concludes. Now, “the attackers may be entering into a new phase, with recent campaigns potentially providing them with access to operational systems, access that could be used for more disruptive purposes in future.”
So far, though, the U.S. intrusions have been about gathering intelligence— technical diagrams, reports, passwords, crypto keys—mostly from administrative networks that don’t control equipment. In only a handful of the breaches did the intruders make their way to the plant control network. But Vikram Thakur, technical director at Symantec, points out they weren’t quick to leave.
“The ones where the attackers were able to get on the operational side of the house were the scariest to us,” says Thakur. “We’ve seen them get on these operational computers and start taking rapid-fire screenshots. Some would show maps of what’s connected to what.”
If Thakur worries the attackers are moving from spying to outright disruption, he concedes that he’s not a specialist in power-grid control systems. Robert Lee, CEO of Dragos, is such a specialist, and he says he’s seen no evidence that Dragonfly is doing anything that it hasn’t always done: poking around and gathering information.
“It is very concerning to see threat actors targeting the U.S. energy sector,” says Lee. “But we have to be very careful in assuming adversary intent and motivations… We’ve seen no indication that there’s an ability to take down infrastructure. Of course, we don’t want them to have that option.”
The latest wave of energy company attacks drew attention last July, after the FBI and DHS issued an industry advisory warning that unknown hackers were specifically targeting engineers as a way of worming into U.S. energy companies, including some nuclear plants.
The perpetrators in the attacks have perfected a two-pronged approach. In some hacks, they send fake résumés or party invitations to engineers and their managers as Microsoft Word files, specially crafted to leak the victim’s Windows credentials to the attacker’s machine. The second, more insidious approach, involves hacking third-party websites frequented by control-system engineers, such as industry journals and magazines. By planting a single line on the website’s code, the attackers can target any of the site’s visitors with malware. Called a “watering hole” attack, one security expert says at least 60 engineering-related sites have been used in the energy attacks so far.
The attackers are professional and well-organized, but because they make copious use of open-source code and tools available in the computer underground it was difficult to link them strongly to previously known operations. In its new report, Symantec says it finally got the goods on the hackers, in part because they were caught deploying a version of a backdoor program called Heriplor previously used by only one other group, Dragonfly.
Dragonfly was already the obvious suspect. The group was infamous for attacking energy companies around the world beginning in late 2011, using the same techniques now seen in the nuclear hacks. In 2014, Symantec discovered the hacking and published the first report on Dragonfly; Crowdstrike identified the operation as originating in Russia.
After the public exposure, Dragonfly seemed to disappear, according to Symantec. But working backward from the 2017 attacks, Symantec says it has found evidence that the hackers began quietly deploying their new watering hole and Microsoft Word ploys in Europe, along with familiar tricks like backdooring commercial software. This year, they brought the new campaign to U.S. with a vengeance.
Dragonfly has always been focused on control networks, including a crucial technology called SCADA, for Supervisory Control and Data Acquisition. A SCADA network is essentially an electronic nervous system that allows operators to remotely monitor and control all the pumps, motors, relays, and valves that undergird society’s infrastructure. The technology grew out of the electric industry beginning in the 1940s as a solution to the growing complexity of power distribution, which requires constant monitoring and adjustment of equipment at thousands of substations scattered around the country. Rather than keep technicians at every site, utilities began connecting the substation equipment to meters and knobs at centralized control centers, first by wire, later by radio, and today over serial ports and digital networks, with graphical computer controls replacing the meters and knobs.
SCADA systems have been plagued by insecurity, and some security experts have been warning for years that attackers could eventually cause a blackout. It finally happened in December 2015, when the hacking operation dubbed Sandworm—which has been linked to the Russian government—successfully attacked a Ukrainian power plant and triggered a blackout that left 225,000 people without power.
Last year, a second attack by the same hackers plunged a portion of Kiev into darkness for about an hour. That attack used previously unseen malware built specifically to manipulate power-plant networks.