Energy firms hacked by ‘cyber-espionage group Dragonfly’

BBC News – Energy firms hacked by ‘cyber-espionage group Dragonfly’.

More than 1,000 energy companies in North America and Europe have been compromised in a huge malware attack unearthed by US security firm Symantec.

The hackers are thought to be part of an Eastern European collective known as Dragonfly, which has been in operation since at least 2011.

Targets included energy grid operators and industrial equipment providers.

“Its primary goal appears to be espionage,” Symantec said.

Sabotage operations

Eighty four countries were affected, although most of the victims were located in the United States, Spain, France, Italy, Germany, Turkey, and Poland.

Since 2013 Dragonfly has been targeting organisations that use industrial control systems (ICS) to manage electrical, water, oil, gas and data systems.

Symantec said Dragonfly had accessed computers using a variety of techniques, including attaching malware to third-party programs, emails and websites, giving it “the capability to mount sabotage operations that could have disrupted energy supplies across a number of European countries”.

It had used Backdoor.Oldrea to gather system information, including the computers’ Outlook address book and a list of files and programs installed, and Trojan.Karagany to upload stolen data, download new files and run them on infected computers, Symantec said.

‘Interesting and concerted’

“The way Dragonfly targeted the companies in question was – while not groundbreaking – interesting and concerted. It appears they clearly mapped out their intended plan of attack,” said Rob Cotton, CEO at global information assurance firm NCC Group.

“The increasing frequency and sophistication of these attacks whilst concerning should not be a cause of alarm for the average consumer – yet. Government departments such as the CPNI (Centre for the Protection of National Infrastructure) provide sound advice to all key components of our society, ensuring the lights stay on and similar core services and functions critical to our way of life are available.”

The attack is similar to the Stuxnet computer worm, which was designed to attack similar industrial controllers in 2010 and reportedly ruined almost 20% of Iran’s nuclear power plants.

Symantec said Dragonfly “bears the hallmarks of a state-sponsored operation, displaying a high degree of technical capability”.

Independent computer security analyst Graham Cluley told the BBC that the motivation for the attack was unclear, but agreed that many would suspect the attacks were sponsored by a foreign state, highlighting a new era of online crime:

“There is no doubt that we have entered a new era of cybercrime, where countries are not just fighting the threat – but are also exploiting the internet for their own interests using the same techniques as the criminals.”

Dr Andrew Rogoyski, chair of techUK Cyber Security Group, told the BBC that “on the face of it, the attacks seem much more benign than Stuxnet but time and further analysis will tell.