Symantec Discovers Hacks on U.S. Power Grid

(Photo: Shutterstock)

A hacker group named Dragonfly 2.0 has gained access to several companies that supply electricity to the U.S. power grid, according to Symantec.

The new wave of cyberattacks could give attackers the means to severely disrupt affected operations centers in Europe and North America. Dragonfly 2.0 has been in operation since at least 2011 and is linked to the Russian government. This campaign began in late 2015 and shares tactics and tools used in earlier campaigns by the group, including malicious emails, watering hole attacks, and Trojanized software, according to Symantec.

GDIT Proactive Defense
Join us on Sept. 14 at the City Club in D.C. to discuss how to advance Cyber Security Operations Centers’ operational capabilities, become more proactive, and improve agencies’ shared situational awareness in the new world of smart Infrastructure and IoT devices. Click here to learn more and register.

The email campaigns send content to users that are specific to the energy industry. If opened, the attached malicious document would leak victims’ network credentials to a server outside of the targeted organization. Some of these emails were constructed using the Phishery Toolkit, which was observed by Cisco in July, researched by Symantec, and made available on GitHub in 2016.

The hackers also used watering hole attacks to compile network credentials, by compromising websites that were likely to be visited by those involved in the energy sector, which are then used to target additional organizations. The group also used files pretending to be Flash updates that may be used to install malicious backdoors onto target networks.

Dragonfly 2.0 is collecting information to learn how energy facilities operate and also gaining access to operational systems. The group potentially has the ability to sabotage or gain control of these systems. Symantec customers are protected against the activities of the Dragonfly group and Symantec made an effort to notify the victims of these attacks.

“Sabotage attacks are typically preceded by an intelligence-gathering phase where attackers collect information about target networks and systems and acquire credentials that will be used in later campaigns,” the Symantec report said. “The original Dragonfly campaigns now appear to have been a more exploratory phase where the attackers were simply trying to gain access to the networks of targeted organizations. The Dragonfly 2.0 campaigns show how the attackers may be entering into a new phase, with recent campaigns potentially providing them with access to operational systems, access that could be used for more disruptive purposes in future.”

Recent