Hackers operating somewhere in Eastern Europe have penetrated the networks of energy companies in the U.S., Spain, France and several other countries and may have gained the ability to carry out cyber-sabotage attacks, researchers at the security company Symantec said today.
In what’s being described as a departure from typical hacking attacks that are intended to steal intellectual property, the attackers gained access to industrial control systems used to maintain power grids and oil and gas pipelines and had the ability to take over operations or even damage them.
Symantec says it “bears the hallmarks” of state-sponsored operations, but does not identify any specific country. It nicknamed the attackers “Dragonfly,” and said the only clue to their identity was the fact that they were operating during standard business hours in a time zone that includes the countries of the former Soviet republics of Georgia and Azerbaijan, but also the United Arab Emirates. Another clue: They used an attack tool that appears to have been modified by a Russian-speaker.
The attacks started last year with well-understood techniques that included spear-phishing, or sending legitimate-seeming emails bearing attachments infected with malware, and waterholing or redirecting people from a legitimate Web site to another serving malware.
Targets of the Dragonfly group included personnel at energy grid operators, electricity generation firms, petroleum pipeline operators, and energy industry industrial equipment providers. The majority of the companies targeted were in the U.S., Spain and France, but also included companies in Italy, Germany, Turkey, Poland, Romania, Greece and Serbia.
Symantec said contacted all the companies involved and postponed the publishing of this report until after the problems were addressed by the affected companies. A chart in the report indicated that more than 70 companies were affected in the U.S., more than 70 in Spain and more than 20 in France. (Screen grab of a chart from the Symantec white paper on the attacks at right.)
In an interview Eric Chien, technical director at Symantec’s Security Technology and Response and response team, explained the third phase of the attack that should give governments around the world pause. The Dragonfly attackers attacked a software vendor that supplies many energy companies with virtual private network (VPN) software used to control and manage industrial control systems (ICS), computers used to control any kind of industrial equipment.
Chien said they created a compromised version of the VPN that included malware that gave them the same level of access to those ICS systems. “They had the same level of access that any technician would have. They literally had the power to keep the lights on or keep the oil flowing.”
Symantec hasn’t disclosed the identify of the victims. But Chien said they include “names you would recognize,” among power companies in the U.S. and Europe.
All the victims in the attack have been notified and the vulnerabilities corrected. During its research, Symantec gained access to Dragonfly’s infrastructure and was able to determine the identity of most of the companies compromised in the attack.
It’s the sort of thing that has kept the leading researchers into the potential for cyberwar up at night. For years, the notion of attacking those ICS systems was only a theory. In 2007 the US Department of Energy conducted some then-classified experiments at the Idaho National Laboratory which showed that an electrical generator could be made to destroy itself via a remote cyberattack. (See the video below.)
Then in 2010 the world first learned of the existence of a computer worm that came to be known as Stuxnet.
Created through the joint efforts of the CIA in the US and Israel’s intelligence agencies, its purpose was to sabotage equipment belonging to the nation of Iran involved with the enrichment of uranium and attached to that countries nuclear weapons research program.
It was a success, in that it did much of what it was intended to do. As the sabotage operation reached its denouement, Iranian computers connected to centrifuges told their human operators that all was normal when in fact they were spinning out of control. Several exploded. By some estimates the Iranian nuclear research program was set back by two years, though those estimates have been disputed.
In any event Stuxnet has been seen as a key turning point in the evolution of cyber-operations by nation states in that it showed that industrial control systems could be attacked and used to carry out sabotage. The more recent Heartbleed vulnerability added to those worries.
“Before Stuxnet people thought attacking these systems was just something that happened in the movies,” Chien said. “Stuxnet showed that they’re not off-limits. It opened a Pandora’s Box. And now other people are figuring out ways to do it.”
Here’s that video showing the US Department of Energy experiment. It shows a generator under attack. Now imagine that’s the generator keeping your lights on, and you get the idea of what those hackers could have done.