1 000+ energy firms infected by Dragonfly

Posted by: Metering International

July 4, 2014

Leave a Comment

Hackers gained access to power plant control systems in over 1 000 energy firms it has been revealed this week. The ‘Energetic Bear’ malware, enables monitoring of energy consumption in real time – and can cripple physical systems such as wind turbines and power plants at the click of a mouse.

Energetic Bear compromised the software of a number of providers of industrial control systems (ICS) and infecting them with a remote access type Trojan virus.  The software was then installed when upgrades were installed for computers running ICS equipment.

These infections not only gave the attackers a beachhead in the targeted organizations’ networks, but also gave them the means to mount sabotage operations against infected ICS computers.

The attackers, whom Symantec have dubbed Dragonfly, managed to compromise a number of strategically important organizations for spying purposes and could have caused damage or disruption to energy supplies in affected countries, had they chosen to do so.

According to Symantec, the attacked has compromised more than 1 000 organisations across 84 countries over an 18 month period.

The most ambitious attack campaign saw it compromise a number of industrial control system (ICS) equipment providers, infecting their software with a remote access-type Trojan.

This caused companies to install the malware when downloading software updates for computers running ICS equipment.

These infections not only gave the attackers a beachhead in the targeted organizations’ networks, but also gave them the means to mount sabotage operations against infected ICS computers.

Dragonfly“’Among the targets of Dragonfly were energy grid operators, major electricity generation firms, petroleum pipeline operators, and energy industry industrial equipment providers,” Symantec said.

“The majority of the victims were located in the United States, Spain, France, Italy, Germany, Turkey, and Poland.”

The Dragonfly group, which is also known by other vendors as Energetic Bear, appears to have been in operation since at least 2011 and may have been active even longer than that, Symantec said.

‘Dragonfly initially targeted defence and aviation companies in the US and Canada before shifting its focus mainly to US and European energy firms in early 2013.’

‘Dragonfly bears the hallmarks of a state-sponsored operation, displaying a high degree of technical capability.

‘Analysis of the compilation timestamps on the malware used by the attackers indicate that the group mostly worked between Monday and Friday, with activity mainly concentrated in a nine-hour period that corresponded to a 9am to 6pm working day in the UTC +4 time zone.

‘Based on this information, it is likely the attackers are based in Eastern Europe.’

Add a Comment

Your email address will not be published. Required fields are marked *


4 + = 9