Russia-Linked Hackers Could Sabotage US Energy Systems

A closely watched group of hackers that U.S. officials believe is linked to Russia has upped its activity against energy providers in the U.S., Turkey and Switzerland. The group has likely developed the expertise to shut down systems, security company Symantec warned Wednesday.

The group, which Symantec calls Dragonfly, has been identified by the U.S. government as linked to Russian intelligence services, according to a December 2016 advisory from the FBI and Department of Homeland Security.

Dragonfly, which has also been called Havex, Energetic Bear and Iron Liberty, has been active since 2011. Symantec says in a blog that its operations appeared to have ticked up starting in 2015 and continued through this year. It warned Dragonfly is interested in gaining access to systems and learning their structures.

That learning has likely culminated in an "ability to sabotage or gain control of these systems should it decide to do so," Symantec says. "The activity has been noticed against the U.S. and Switzerland, but a focus on Turkey has increased dramatically.

"What is clear is that Dragonfly is a highly experienced threat actor. What it plans to do with all this intelligence has yet to become clear, but its capabilities do extend to materially disrupting targeted organizations should it choose to do so."

FireEye calls the Dragonfly group "Koala." John Hultquist, FireEye's director of intelligence analysis, writes on Twitter that Dragonfly has not yet "demonstrated a capability to manipulate the systems they are after but that may be premature."

In another tweet, he adds: "Regarding the Dragonfly revelations, please remember that access does not equal capability, but ICS is being targeted maliciously."

ICS Vulnerabilities

Worries over the vulnerability of industrial control systems have pervaded governments and researchers. Such systems have increasingly been linked to the internet, which could provide opportunities for hackers to gain access to controls and disrupt energy systems.

The most well-known energy-related attacks affected Ukraine. In 2015 and 2016, the country saw two attacks against energy providers that caused blackouts, bringing to bear what security experts had long feared. It's speculated that those attackers are linked to Russia, which has continued to exert a low-level military campaign against its neighbor following the annexation of Crimea (see Ukraine Blackout Redux: Hacking Confirmed).

Symantec doesn't mention Russia in its blog, but says Dragonfly "is clearly an accomplished attack group."

"It is capable of compromising targeted organizations through a variety of methods; can steal credentials to traverse targeted networks; and has a range of malware tools available to it, some of which appear to have been custom developed," the company says.

Dragonfly's Next Phase

When Dragonfly was first observed in 2011, the group seemed more interested in learning about networks and gathering access credentials that could be exploited later. The next phase, however, is more invasive.

"The Dragonfly 2.0 campaigns show how the attackers may be entering into a new phase, with recent campaigns potentially providing them with access to operational systems, access that could be used for more disruptive purposes in [the] future," Symantec says.

Dragonfly uses a mix of methods to gain access to systems, including spear-phishing emails containing malware, links that lead to hacked websites rigged with malware and compromised software. But it doesn't use any zero-day vulnerabilities, which are relatively rare flaws that have no patch from a vendor and are difficult to defend against, Symantec says.

Defense? Good Password Hygiene

Deflecting Dragonfly comes back largely to what should be common sense security practices.

Symantec says the group relies on stealing access credentials. That means it's critical to keep password management tidy: strong, unique passwords that aren't recycled across the network. Also, it's important to delete unused credentials or profiles and limit the number of accounts that have high privileges, Symantec says.

Accounts should also have two-factor authentication enabled, which typically requires a time-sensitive one-time passcode to be entered along with a user name and password.

Employees should also be educated to watch for spear-phishing emails - carefully crafted messages designed to bait victims into taking some action.

Symantec says Dragonfly's renewed activity was signaled after it launched a campaign "that sent emails disguised as an invitation to a New Year's Eve party to targets in the energy sector in December 2015. The group conducted further targeted malicious email campaigns during 2016 and into 2017. The emails contained very specific content related to the energy sector, as well as some related to general business concerns. Once opened, the attached malicious document would attempt to leak victims' network credentials to a server outside of the targeted organization."