A group of cyberspies believed to be operating out of Russia has been observed targeting energy facilities in the United States and other countries, and the attackers appear to be increasingly interested in gaining access to the control systems housed by these organizations.
The group, known as Dragonfly, Crouching Yeti and Energetic Bear, has been active since at least 2010, but its activities were first detailed by security firms in 2014. Many of the threat actor’s attacks have focused on the energy sector in the United States and Europe.
Symantec says it has been monitoring a new campaign, which it has dubbed “Dragonfly 2.0,” since late 2015. The company has spotted victims of this operation in the United States, Switzerland and Turkey.
Symantec first warned about Dragonfly’s potential power grid sabotage capabilities in 2014. However, there has been no evidence that any of the group’s attacks resulted in power disruptions. The company now claims to have found evidence that may suggest the attackers have actually gained access to computers linked to operational systems.
The FBI and the DHS recently issued a joint report to warn manufacturing plants, nuclear power stations and other energy facilities in the U.S. of attacks that may have been launched by Dragonfly. However, the U.S. Department of Energy said only administrative and business networks were impacted, not systems controlling the energy infrastructure.
Symantec pointed out that Dragonfly’s initial campaigns appeared to focus on breaching the targeted organizations’ networks. However, in more recent attacks, the hackers seemed interested in learning how energy facilities operate and gaining access to operational systems. Experts warned that access to operational systems could be used in the future for more disruptive purposes, including to cause power outages.
However, the most “concerning evidence” presented by the security firm involves screen captures taken by the group’s malware. Some screen capture files analyzed by researchers had names containing the location and a description of the infected machine and the targeted organization’s name. Some of the machine descriptions included the string “cntrl,” which may mean that the compromised machine had access to control systems.
Experts previously linked Dragonfly to Russia. Symantec has not made any clear statements regarding the threat actor’s location, but it did say that some of the malware code was in Russian. However, researchers also reported finding strings written in French, which suggests that the attackers may be trying to throw investigators off track.
Symantec has linked the Dragonfly 2.0 attacks to earlier Dragonfly campaigns based on the use of watering holes, phishing emails, trojanized applications, and the same malware families, including the Heriplor backdoor that appears to be exclusively used by this group.
By Eduard Kovacs