Russian Hackers Targeting Energy Sector, Says Report

A group of hackers apparently based in Moscow has been conducting an “ongoing cyberespionage campaign” against energy sector companies in the U.S. and Western Europe, according to a report released June 30 by computer security firm Symantec.

The targets included “energy grid operators, major electricity generation firms, petroleum pipeline operators, and energy industry industrial equipment providers,” said the report. The majority of targets were located in the U.S., Spain, France, Italy, Germany, Turkey, and Poland.

The attacks were carried out by a group code-named Dragonfly, which Symantec said “bears the hallmarks of a state-sponsored operation, displaying a high degree of technical capability.” While the purpose of the attacks appeared to be industrial espionage and no equipment was damaged, the method of access included loading malware on industrial control systems (ICSs).

According to the report, one of Dragonfly’s campaigns “compromise[d] a number of industrial control system equipment providers, infecting their software with a remote access-type Trojan. This caused companies to install the malware when downloading software updates for computers running ICS equipment. These infections not only gave the attackers a beachhead in the targeted organizations’networks, but also gave them the means to mount sabotage operations against infected ICS computers.”

Three different ICS equipment firms were targeted:

  • A firm that provides VPN access to programmable logic controllers (PLCs). The vendor discovered the attack quickly but not before there were about 250 downloads of the compromised software.
  • A European manufacturer of specialist PLCs. A software package containing a driver for one of its devices was compromised, and the infected software was available for download for at least six weeks in June and July 2013.
  • A European company that develops systems to manage wind turbines, biogas plants, and other energy infrastructure. The compromised software may have been available for download for about 10 days in April 2014.

The report noted that the attackers avoided attacking targets directly but instead relied on similar “back doors” such as the method above, in which targets downloaded software updates from trusted sources. This suggests that plant owners will need to look beyond merely upgrading their own systems and implement means of protection against otherwise trusted vendors and suppliers.

—Thomas W. Overton, JD is a POWER associate editor.