The IT Security firm Symantec revealed on Wednesday that hackers have targeted energy companies in the US and across Europe in their latest hack attacks resulting in attaining hands-on access to power grid functions. They have now acquired enough control that they can easily shut down and cause a widespread outage in the US whenever they want to. The campaign in which dozens of companies from the energy sector were targeted is called Dragonfly 2.0. The attacks started in the first half of 2017, and in total there were 20 successful cases.
According to Symantec’s security experts, the hackers tried to access the networks of these targeted companies in the summer and spring of 2017. In the 20 cases that were successful the networks were compromised while in some US power firms and at a Turkish company, the attackers managed to gain operational control, which allowed them to monitor and operate the interfaces used by the engineers at the power company to send commands. These commands were sent to critical equipment like circuit breakers. This would allow them to stop the electricity flow across the US.
In an interview with Wired, Eric Chien, a security analyst at Symantec said that the attackers are now in a position to conduct sabotage as they can easily “flip the switch on power generation.”
“We’re now talking about on-the-ground technical evidence this could happen in the US, and there’s nothing left standing in the way except the motivation of some actor out in the world,” noted Chien.
This is the first time that hackers have gained such a high level of control over the US power sector firms and power systems. Previously, the biggest achievement of hackers in this sector has been the repeated attacks on Ukrainian power grid causing a power outage in Ukraine twice between late 2015 and early 2016. In those attacks, Russia-based Sandworm hacker group was believed to be the main perpetrator, as per the analysis of FireEye and Dragos security firms. However, Symantec has not blamed any particular private or state-owned hacker group for the recent attacks, and they are still clueless about the motives behind these attacks.
Hackers Have the Power to Switch Off American Grid Systems
Moreover, Symantec hasn’t identified any similarity between Sandworm’s attacks and the latest power grid attacks, and the company is not directly relating the Dragonfly 2.0 campaign to the intrusions by hackers on US power companies including the Kansas based nuclear facility Palmetto Fusion back in July, which was linked to Russia at that time. But, Chien has noted that the method of hacking and the timing of hack of Dragonfly 2.0 campaign is almost identical to the Palmetto Fusion hacking.
“It’s highly unlikely this is just coincidental,” claims Chien, but he also claims that the latest campaign has targeted non-nuclear energy facilities only, which is unlike the Palmetto Fusion hack attack. Symantec tracked the Dragonfly 2.0 attacks to as far as December 2015, but the company identified that the attacks sharply increased in early half of 2017 comparatively. The most prominent and frequent targets include the US, Turkey, and Switzerland.
The attacks started with the launching of attention grabbing spear phishing emails such as New Year’s Eve party invite for trapping recipients into clicking on and opening an infected attachment. The attackers also used watering hole method to infect a website that was most frequently visited by the targets. This helped them in hacking the computers of their victims. The purpose of these attacks was to collect credentials of the victims and also acquire remote access to the computers.
In most successful cases, the hackers managed to penetrate deep enough to the system that they were able to get screenshots of the actual control panels of the grid operations of their targets. This was the final step of the actual motive of sabotaging the systems when required. These screenshots helped the hackers in understanding the entire control procedure and how to shut down the power grid at will.
So, why didn’t the hackers caused a blackout in the US when they could do so? Symantec researchers claim that the hackers could be keeping the information as of now and waiting for the right time to cause extensive damage to the electricity supply in the US. Such as, they might be waiting for an armed conflict to arise in the US to use their abilities.
“If these attacks are from a nation state one would expect sabotage only about a political event,” believes Chien.
The most likely suspect, as per Symantec’s analysis, is Russia but the company notes that hackers have relied upon free tools and exploited existing flaws in the software instead of any new vulnerability. But, the company did find code strings written in Russian and French language present in the malware that was used for the intrusion. However, this might just be an attempt to mislead the researchers, stated Chien.
Symantec has warned energy companies that Dragonfly 2.0 hackers are currently active and therefore, the firms must keep electric utilities on high alert.