Cybersecurity, Editors Picks, Equipment & Technology, Europe, Middle East & Africa, Smart Grid, Smart Grid T&D

Symantec warns hackers poised to shut down power infrastructure

Global cyber security firm Symantec has warned that a hacking operation has successfully infected power companies in the US and Europe.

The Dragonfly group has been identified as having infiltrated firms in the US, Turkey and Switzerland, and has the capability to use cyberattacks to cause mass power outages, total shutdown of electrical grids, and major disruption of utilities.

Experts at Symantec believe Dragonfly, which has been trying to crack into the systems since 2011, may be sitting silently on the systems, waiting to interfere in state power generation apparatus.
Cyber attack graphic
It stated on its website: “The group has been in operation since at least 2011 but has re-emerged over the past two years from a quiet period following exposure by Symantec and a number of other researchers in 2014. This ‘Dragonfly 2.0’ campaign, which appears to have begun in late 2015, shares tactics and tools used in earlier campaigns by the group.”

Hackers have been targeting employees using a tactic called “phishing” for several years.
The group of hackers, known as Dragonfly, Energetic Bear or Berserk Bear, infiltrated energy companies by tricking employees into opening Microsoft Word documents that harvest usernames and passwords, with the number of attacks rising in recent months.

An attack on the Ukraine’s power system, which caused widespread blackouts in 2015 and 2016 shows the potential for an attack and Eric Chien, a technical director at Symantec, said the attackers were “potentially political motivated”, with targets concentrated in the US and Turkey.

Even if they compromise a small energy company, they could put the entire power grid at risk by removing or putting too much power into the grid, he said.

“We see them active on operational machines, understanding how they work, potentially understanding how to run a sabotage campaign. There’s no evidence of them modifying or corrupting them,” he told the Financial Times. “They are waiting in case there is some kind of political event, then they have the cyber offensive means.”

CrowdStrike, another cyber security company, says the hackers are a nationalistic Russian group that may be trying to glean knowledge about the energy industry in order to use it as a diplomatic tactic.

Adam Meyers, vice-president of intelligence at CrowdStrike, said “They can assess how effective a threat to disrupt the flow of energy exports to a specific country might be and what recourse or action might be taken as a result”. Mr Meyers added that Turkey may have been particularly targeted by the Russians because there had been tensions after Ankara shot down a Russian warplane it believed to be in its airspace