An October, 2017 report by researchers at Symantec Corp., cited by the U.S. government, has linked recent US power grid cyber attacks to a group of hackers it had code-named "Dragonfly", and said it found evidence critical infrastructure facilities in Turkey and Switzerland also had been breached.
The Symantec researchers said an earlier wave of attacks by the same group starting in 2011 was used to gather intelligence on companies and their operational systems. The hackers then used that information for a more advanced wave of attacks targeting industrial control systems that, if disabled, leave millions without power or water.
U.S. intelligence officials have long been concerned about the security of the country’s electrical grid. The recent attacks, striking almost simultaneously at multiple locations, are testing the government’s ability to coordinate an effective response among several private utilities, state and local officials, and industry regulators.
While the core of a nuclear generator is heavily protected, a sudden shutdown of the turbine can trigger safety systems. These safety devices are designed to disperse excess heat while the nuclear reaction is halted, but the safety systems themselves may be vulnerable to attack.
The operating systems at nuclear plants also tend to be legacy controls built decades ago and don’t have digital control systems that can be exploited by hackers.
“Since at least March 2016, Russian government cyber actors… targeted government entities and multiple U.S. critical infrastructure sectors, including the energy, nuclear, commercial facilities, water, aviation, and critical manufacturing sectors,” according to Thursday’s FBI and Department of Homeland Security report. The report did not say how successful the attacks were or specify the targets, but said that the Russian hackers “targeted small commercial facilities’ networks where they staged malware, conducted spearphishing, and gained remote access into energy sector networks.” At least one target of a string of infrastructure attacks last year was a nuclear power facility in Kansas.
Symantec doesn’t typically point fingers at particular nations in its research on cyberattacks, said Eric Chien, technical director of Symantec’s Security Technology and Response division, though he said his team doesn’t see anything it would disagree with in the new federal report. The government report appears to corroborate Symantec’s research, showing that the hackers had penetrated computers that would let them directly manipulate power systems, he says.
“There were really no more technical hurdles for them to do something like flip off the power,” he said.
And as for the group behind the attacks, Chien said it appears to be relatively dormant for now, but it has gone quiet in the past only to return with new hacks.
“We expect they’re sort of retooling now, and they likely will be back,”
In some cases, Dragonfly successfully broke into the core systems that control US and European energy companies, Symantec revealed.
“The energy sector has become an area of increased interest to cyber-attackers over the past two years,” Symantec said in its report.
“Most notably, disruptions to Ukraine’s power system in 2015 and 2016 were attributed to a cyberattack and led to power outages affecting hundreds of thousands of people. In recent months, there have also been media reports of attempted attacks on the electricity grids in some European countries, as well as reports of companies that manage nuclear facilities in the US being compromised by hackers.
“The Dragonfly group appears to be interested in both learning how energy facilities operate and also gaining access to operational systems themselves, to the extent that the group now potentially has the ability to sabotage or gain control of these systems should it decide to do so. Symantec customers are protected against the activities of the Dragonfly group.”
In recent weeks, senior US intelligence officials said that the Kremlin believes it can launch hacking operations against the West with impunity.
The DHS and FBI report further elaborated: “This campaign comprises two distinct categories of victims: staging and intended targets. The initial victims are peripheral organisations such as trusted third-party suppliers with less-secure networks, referred to as ‘staging targets’ throughout this alert.
“The threat actors used the staging targets’ networks as pivot points and malware repositories when targeting their final intended victims. National Cybersecurity and Communications Integration Center and FBI judge the ultimate objective of the actors is to compromise organisational networks, also referred to as the ‘intended target’.”
According to the US alert, hackers used a variety of attack methods, including spear-phishing emails, watering-hole domains, credential gathering, open source and network reconnaissance, host-based exploitation, and deliberate targeting of ICS infrastructure.
The attackers also targeted VPN software and used password cracking tools.
Once inside, the attackers downloaded tools from a remote server and then carried out a number of actions, including modifying key systems to store plaintext credentials in memory, and built web shells to gain command and control of targeted systems.
“This actors’ campaign has affected multiple organisations in the energy, nuclear, water, aviation, construction and critical manufacturing sectors,” the DHS said, before outlining a number of steps that IT managers in infrastructure organisations can take to cleanse their systems and defend against Russian hackers. he said.