A group of hackers code-named "Dragonfly 2.0" is darting around U.S. energy networks after years of lying dormant, according to the cybersecurity firm Symantec Corp.
The Dragonfly threat last reared its head three years ago, but Symantec researchers reported a "distinct increase in activity" lately as attackers lay the groundwork for sabotaging the U.S. energy sector.
"In 2014, we only saw Dragonfly establish a ‘beachhead,’" said Eric Chien, technical director of Symantec’s security technology and response division, in an email. "Now, we are seeing them penetrate deeper to operational networks."
By worming into victims’ operational computers, the hackers could be poised to plant malware or flip switches to have physical impacts on the power grid, experts say. There is no evidence to suggest they ever took those extra steps in the U.S., but Chien said that at least a "handful" of a dozen or so victims here saw their operational networks compromised. He cautioned that Symantec does not have "full visibility" into the scope of the hacking campaign, which also hit energy companies in Turkey and Switzerland.
Dragonfly 2.0 used many publicly available tools to breach target networks, Chien and his team found, "living off the land" in what may have been an attempt to muddy links to a particular country. However, the attackers recycled an exclusive "backdoor" from the 2014 Dragonfly campaign, dubbed Trojan.Heriplor, suggesting the same group was likely behind both campaigns, Symantec said.
Symantec stopped short of confirming that the Dragonfly 2.0 hackers infected the corporate networks of nuclear power plant operators earlier this year, though the techniques outlined in yesterday’s blog post match up with that incident (Energywire, June 27). In both cases, hackers used "phishing" emails with energy-specific contents and hijacked websites likely to be visited by targets in a "watering hole" attack.
"It’s safe to say these two are related to one another," noted Stephen Ward, a senior director at the industrial cybersecurity firm Claroty.
However, experts said it’s far from certain that the same hackers were also behind two brief power outages in Ukraine in 2015 and 2016. Those are the only known times cyberattacks disrupted part of a power grid anywhere in the world, and fingers quickly pointed at Russia for being responsible.
"We’re now in the age of attacks that are going to cause the type of problems that everybody’s been writing movie scripts about," Ward said.
A spokesman for the Department of Homeland Security said "there is no indication of a threat to public safety" from Dragonfly 2.0, adding that the agency would continue to respond alongside other government offices and the private sector.
Bill Lawrence, director of the Electricity Information Sharing and Analysis Center at the North American Electric Reliability Corp., said the nonprofit grid overseer was aware of the threat and would also keep monitoring it.
"At this time, there are no impacts on the operation or reliability of the bulk power system in North America," he said in an emailed statement.
NERC sets and enforces cybersecurity standards for the U.S. bulk electric power system, which is not known to have ever been physically affected by a cyberattack.
However, multiple former grid officials said that’s no reason for utilities to rest easy. Small power distribution firms may lack the resources to install advanced cyberdefenses and often fall outside the scope of NERC’s mandatory critical infrastructure protection standards.
Dragonfly’s resurgence "should be alarming to utilities, NERC, and those on the front lines of defense," said Brian Harrell, vice president of security at AlertEnterprise and former director of NERC’s critical infrastructure protection program. "The Dragonfly hackers, over the last seven years, seem hellbent on probing and penetrating energy companies," he said, "and the U.S. government should prioritize resources to disrupt and stop this group."
Still, he noted that large portions of the grid are unlikely to be brought down by even sophisticated hackers, given built-in redundancies.
Marty Edwards, former director of DHS’s Industrial Control Systems-Cyber Emergency Response Team, agreed that grid operators would likely take the new threat in stride.
"The energy sector has a lot of experience dealing with this kind of intrusion campaign — they’re fairly resilient when it comes to a cyber event," said Edwards, who now works as managing director of the Automation Federation since departing DHS earlier this year.
Symantec said hackers took screenshots from within computers linked directly to operational networks, underscoring the capacity for sabotage, if not the intent. In one case, the hackers added "cntrl," short for "control," to descriptions of infected machines, potentially highlighting those with access to control networks.
Edwards cautioned that while that indicates a "heightened level of interest in those systems," it is not necessarily a sign of imminent physical danger. He said the evidence presented so far appears to suggest Dragonfly 2.0 is still squarely concerned with "intelligence gathering or industrial espionage."
That’s not too different from Dragonfly’s suspected goals in 2014, when Edwards helped organize a series of closed-door briefings for private utilities caught in the group’s web of activity (Energywire, Oct. 31, 2014).
"When I was at DHS, we were always cautious to point out that companies need to be aware that destructive malware does exist — even though this may not be that," he said. "Campaigns like Dragonfly continue to evolve. They may go quiet for a while, but I don’t think they ever go away."