Technology & Science

Russia-linked hackers infiltrated U.S. and European energy companies, security firm finds

It's the latest in a string of campaigns that have targeted energy companies around the world.

The group, known as Dragonfly, has spent nearly 2 years collecting intelligence inside company networks

Symantec attributed the attacks to a group called Dragonfly — also known as Energetic Bear — which the U.S. government has previously linked to Russia. (Athit Perawongmetha/Reuters)

A group of malicious hackers believed to be linked to the Russian government have spent nearly two years collecting intelligence inside the computer networks of energy companies in the United States, Turkey and Switzerland — but to what end is unclear.

The campaign is just the latest in a string of intrusions targeting energy companies around the world in recent years. Russia is believed to have launched a pair of cyberattacks in 2014 and 2015 against the Ukrainian energy grid, plunging hundreds of thousands of residents into temporary darkness.

And the U.S. government has found Russian-linked malware on the computers of American utility operations on a number of occasions — most recently in July.

In this case, security company Symantec attributed the attacks to a group called Dragonfly — also known as Energetic Bear — but declined to link Dragonfly with any particular government or nation state.

However, the U.S. Department of Homeland Security and the Federal Bureau of Investigation have previously linked Dragonfly to Russia.

"What is clear is that Dragonfly is a highly experienced threat actor, capable of compromising numerous organizations, stealing information, and gaining access to key systems," states a Symantec report, published Wednesday. "What it plans to do with all this intelligence has yet to become clear, but its capabilities do extend to materially disrupting targeted organizations should it choose to do so."

The group was active between 2011 and 2014, and after a lull, re-emerged with its most recent campaign starting in late 2015. However, the Symantec researchers noticed a "distinct increase in activity" this year.

Symantec did not mention any of the energy companies targeted by name.

The attackers used a range of techniques to gain access to energy company computers — including phishing emails disguised as a New Year's Eve party invite, and malicious email attachments disguised as business-related documents.

"The attackers also used watering hole attacks to harvest network credentials, by compromising websites that were likely to be visited by those involved in the energy sector," the report says.

Once the attackers established remote access to the company's network, those account credentials could be used to compromise other computers inside the network. 

Symantec says Dragonfly is still active, although for now the group's actions appear limited to reconnaissance. But in possible hint of things to come, the attackers were observed taking screen captures of operational systems, which the Symantec report suggests could even be control systems, based on how the screen capture files are named.

About the Author

Matthew Braga

Senior Technology Reporter

Matthew Braga is the senior technology reporter for CBC News, where he covers stories about how data is collected, used, and shared. He can be contacted at matthew.braga@cbc.ca. For particularly sensitive messages or documents, consider using Secure Drop, an anonymous, confidential system for sharing encrypted information with CBC News.