A Russian group of hackers known as Energetic Bear is attacking energy companies in the US and Europe and may be capable of disrupting power supplies, cyber-security researchers said.
The hackers, also called Dragonfly, appear to have the resources, size and organization that suggest government involvement, security company Symantec said in a blog post on Monday.
The attackers are targeting grid operators, petroleum pipeline operators, electricity generation firms and other “strategically important” energy companies, it said.
More than half of the infections found were in the US and Spain, Symantec said, while Serbia, Greece, Romania, Poland, Turkey, Germany, Italy and France were also targeted.
The hackers, who have been active since at least 2011, appeared to work a standard week, operating 9am to 6pm, Monday to Friday, in a time zone shared by Russia and other eastern European countries, Symantec said.
The group has a “nexus to the Russian Federation,” according to report published in January by Irvine, California-based CrowdStrike, which focuses on identifying web “adversaries.”
The hackers also targeted academics globally, European governments, defense contractors and US health-care providers, it said.
Helsinki-based security firm F-Secure noticed the group’s focus shifting to industrial control systems earlier this year, according to a June 23 blog post.
It is unclear whether a state is directly involved or if the group is trying to sell to a government, said Eric Chien, chief researcher at Symantec’s Security Technology and Response Team.
“The Dragonfly group is well resourced, with a range of malware tools at its disposal and is capable of launching attacks through a number of different vectors,” Symantec said.
“These infections not only gave attackers a beachhead in the targeted organizations’ networks, but also gave them the means to mount sabotage operations.
“When they do have that type of access, that motivation would not be for espionage.
“When we look at where they are at, we are very concerned about sabotage.”
Symantec started actively monitoring Dragonfly’s activities in 2012, when the attacks only looked like espionage, Chien said.
Some of the group’s malware infiltrates remote access software used by energy companies, giving attackers the same privileges as an industrial control system.
Cyber-spies are targeting utility companies all over the world. Dragonfly’s tactics are similar to the Stuxnet attacks, a computer virus that was found to target Iranian nuclear facilities in 2010, Symantec said. That malware targeted software made by Siemens, among others.
The FBI discovered a Chinese hacker, called UglyGorilla, seeking access to parts of a US utility company’s systems that would let him cut off heat or damage pipelines. He and others working for the Chinese People’s Liberation Army were indicted by a US grand jury in May for computer fraud and economic espionage.
“The worst-case scenario would be that the systems get shut down,” Chien said.
“You could see the power go out, for example, and there could be disruption in that sense.”
Recommended for you
