A massive cyber crime attack involving more than 1,000 energy companies in North America and Europe has been reported by US Security firm, Symantec Security. Symantec has said that though exact number of firms compromised by this malware attack are not known as of now, but the figure could be in the region of 1000+ energy firms. The malware attack was done by a hackers collective known as Dragonfly as per Symantec and is said to be so powerful that may be capable of disrupting power supplies in the United States and European countries.
Dragonfly collective which is also known as “Energetic Bear” is thought of Eastern European origin or most probably Russian cyber criminal group and are known to execute high level hacking attacks since 2011. About the latest hacking attack, Symantec has said that the targets included nearly all energy components like grid operators, petroleum pipeline operators, electricity generation firms and other “strategically important” energy companies. In all energy firms in 84 countries were targeted by Dragonfly. More than half of the infections found were in the U.S. and Spain, Symantec said, while Serbia, Greece, Romania, Poland, Turkey, Germany, Italy and France were also targeted.
Since 2013 Dragonfly has been targeting organisations that use industrial control systems (ICS) to manage electrical, water, oil, gas and data systems. In important news is that these hackers operate like a normal corporate office as per Symantec. The hackers, who have been active since at least 2011, appeared to work a standard week, operating 9 a.m. to 6 p.m., Monday through Friday, in a time zone shared by Russia and other eastern European countries, Symantec said.
This is the same group which was earlier red flagged by security firm Crowdstrike in a report (PDF) as being super active in European theatre. Crowdstrike which specialises in identifying potential web adversaries in the virtual world said that this group has a “nexus to the Russian Federation.” As per Crowdstrike, Dragonfly are highly pro efficient in targeting large corporations, academics, European governments, defense contractors and U.S. health-care providers.
In a blog post made on 23rd June 2014, Helsinki-based security firm F-Secure Oyj had reported that the Dragonfly were shifting their focus from their earlier targets to more specific industrial control systems, which they found to be highly suspicious. Symantec has also reported that the magnitude of the hack attack “bears the hallmarks of a state-sponsored operation, displaying a high degree of technical capability,” though it is not clear whether a state is directly involved or if the group is trying to sell to a government or hired for this particular job by some state.
Symantec said that Dragonfly accessed computers using a variety of techniques, including attaching malware to third-party programs, emails and websites, giving it “the capability to mount sabotage operations that could have disrupted energy supplies across a number of European countries”.
It had used Backdoor.Oldrea to gather system information, including the computers’ Outlook address book and a list of files and programs installed, and Trojan.Karagany to upload stolen data, download new files and run them on infected computers, Symantec said.