Hackers likely linked to a foreign government have targeted U.S. and European energy sector companies in an escalating industrial espionage campaign, according to reports from private cyber security researchers.
The report prompted the Department of Homeland Security to issue an alert.
The group, dubbed “Energetic Bear” or “Dragonfly” by different security firms, has targeted primarily oil and gas companies but also health care, government and defense contractors. In a blog post, the security firm Symantec said the attacks bear the “hallmarks of a state-sponsored operation, displaying a high degree of technical capability.”
Based on the hours during which attacks occurred, Symantec concluded they came from Eastern Europe. Both the New York Times and the Financial Times quoted experts saying that Russia was the likely origin.
The attacks include phishing scams in which malicious links were sent via mass e-mails. In others, the hackers infected Web sites their targets visited often, tricking them into downloading malware that gave hackers access to their computers. The attacks are hard to detect because the hackers used encryption to cover their tracks.
Symantec did not identify the companies that were attacked, but said they were located in the United States, Spain, France, Italy, Germany, Turkey and Poland. According to Symantec:
The Dragonfly group is well resourced, with a range of malware tools at its disposal and is capable of launching attacks through a number of different vectors. Its most ambitious attack campaign saw it compromise a number of industrial control system (ICS) equipment providers, infecting their software with a remote access-type Trojan. This caused companies to install the malware when downloading software updates for computers running ICS equipment. These infections not only gave the attackers a beachhead in the targeted organizations’ networks, but also gave them the means to mount sabotage operations against infected ICS computers.
Finnish security firm F-Secure revealed the group has stepped up their game in the past six months, breaking into the networks of oil and energy firms. When these companies updated software that, for example, manages wind turbines and natural gas plants, they downloaded infected versions, letting hackers access their systems remotely. The infected software was downloaded at least 250 times.
Symantec compared the attacks to Stuxnet, a computer worm designed by the United States and Israel designed to sabotage Iran’s nuclear program. “Dragonfly appears to have a much broader focus with espionage and persistent access as its current objective with sabotage as an optional capability if required,” the firm wrote.
There was no evidence the Russian group intended to inflict damage such as blowing up an oil rig or power facility, Kevin Haley, the director of security response at Symantec, told the New York Times. The motive, he suggested, was to learn more about energy companies’ operations, strategic plans and technology. “But the potential for sabotage is there,” he said.
Adam Meyers, head of threat intelligence for the security firm CrowdStrike, told the Times that recently the hackers have been targeting companies in the financial sector, especially the Web sites of firms that invest in energy.