The North American and European energy sectors are being targeted by a “new wave” of cyber attacks by the group known as known as Dragonfly, according to a research report released Wednesday by cyber security firm Symantec.
These attacks are specifically focused on the power grid and related components, like power generation, transition and distribution.
“Our real worry here is that they have operation access at this point, which means they could conduct some sort of sabotage operation,” said Eric Chien, director of Symantec’s security technology and response division.
There are traces of the group’s attacks all over Europe, but the core focus of the attacks has been in the United States and Turkey, according to the cyber security firm Symantec.
While Chien and Symantec don’t expect imminent sabotage, the technical hurdles are no longer there, according to their research.
It’s “about motivation at this point,” said Chien.
About a dozen organizations across the U.S. were compromised, according to the research. About a handful of those companies saw activity on the operational side of the business, which is of particular concern.
Computer systems in the energy sector are generally split up into the administrative side and the operational side. The administrative side includes email, office functions and accounting. The operational side controls the connections to the power grid and any machinery or sensors.
Those networks are typically isolated form the administrative networks, but it’s “never perfect,” and there’s always some ability to “hop over,” said Chien.
This cyber infiltration group has been around since at least 2011, but has “re-emerged over the past two years,” in what is being called the “Dragonfly 2.0” campaign, according to Symantec. The attackers are “modifying off-the-shelf tools,” making them harder to track.
“We haven’t really seen this kind of thing in the U.S., other than Dragonfly back in 2014,” said Chien.
At the time, the Dragonfly group was caught hacking into the administrative side of the sector, but this resurgence shows an “escalation” in the number of companies targeted and an “aggressiveness” in accessing the operational side of the business, Chien added.
The current attacks are believed to be connected to a nation-state actor, given the type of infiltration and the fact that there are no extortion demands, or indications of economic espionage or cyber crime.
“This is definitely more political motivation,” said Chien.
Since this has a political motivation, it would likely require a political event before something happened, he said.
Two years ago, Ukraine suffered cyber attacks that caused mass blackouts.
“There is precedent” for a power grid shutdown, said Chien.
However, there was “no overlap in the tool set” used by the attackers in the Ukraine power shutdown and the Dragonfly group Symantec found, but Chien cautioned that it doesn’t rule out the potential it’s the same nation-state directing the efforts, since state actors often have more than one group doing these types of operations.
The last big attack to cause major disruption was the Wannacry attack in May, but that was a “very much shotgun” approach, said Chien. The Dragonfly attacks are “very, very targeted and it’s worrisome,” he said.
“This is probably the most concerning thing we’re seen in a while,” he said.
To prevent against future compromises, Symantec recommends that companies search their networks for “indicators of compromise,” as well as recognize that the Dragonfly group was “very focused” on getting credentials, like passwords and login information, even if the malicious software is removed, the systems could still be at risk.
Organisations should also be updating the “threat models,” to include the fact that an attack on operational systems is now possible and employ more preventative measures like two-factor authentication, which could create hurdles for attackers going forward, according to Chien.
Symantec notified over a hundred energy organizations about the potential compromise and is in contact with the Department of Homeland Security (DHS) and other industry groups about its concerns.
DHS is aware of the report and is reviewing it, according to spokesperson Scott McConnell.
“At this time there is no indication of a threat to public safety,” McConnell said. “We continue to coordinate with government and private sector partners to look into this activity and, through our National Cybersecurity and Communications Integration Center, we have released multiple information products to the critical infrastructure community to provide detection and response recommendations to help them secure their networks.”