Russia-linked hackers infiltrated U.S. and European energy companies, security firm finds
The group, known as Dragonfly, has spent nearly 2 years collecting intelligence inside company networks
A group of malicious hackers believed to be linked to the Russian government have spent nearly two years collecting intelligence inside the computer networks of energy companies in the United States, Turkey and Switzerland — but to what end is unclear.
The campaign is just the latest in a string of intrusions targeting energy companies around the world in recent years. Russia is believed to have launched a pair of cyberattacks in 2014 and 2015 against the Ukrainian energy grid, plunging hundreds of thousands of residents into temporary darkness.
And the U.S. government has found Russian-linked malware on the computers of American utility operations on a number of occasions — most recently in July.
In this case, security company Symantec attributed the attacks to a group called Dragonfly — also known as Energetic Bear — but declined to link Dragonfly with any particular government or nation state.
However, the U.S. Department of Homeland Security and the Federal Bureau of Investigation have previously linked Dragonfly to Russia.
"What is clear is that Dragonfly is a highly experienced threat actor, capable of compromising numerous organizations, stealing information, and gaining access to key systems," states a Symantec report, published Wednesday. "What it plans to do with all this intelligence has yet to become clear, but its capabilities do extend to materially disrupting targeted organizations should it choose to do so."
The group was active between 2011 and 2014, and after a lull, re-emerged with its most recent campaign starting in late 2015. However, the Symantec researchers noticed a "distinct increase in activity" this year.
Symantec did not mention any of the energy companies targeted by name.
The attackers used a range of techniques to gain access to energy company computers — including phishing emails disguised as a New Year's Eve party invite, and malicious email attachments disguised as business-related documents.
"The attackers also used watering hole attacks to harvest network credentials, by compromising websites that were likely to be visited by those involved in the energy sector," the report says.
Once the attackers established remote access to the company's network, those account credentials could be used to compromise other computers inside the network.
Symantec says Dragonfly is still active, although for now the group's actions appear limited to reconnaissance. But in possible hint of things to come, the attackers were observed taking screen captures of operational systems, which the Symantec report suggests could even be control systems, based on how the screen capture files are named.