Recently, a Russian group of hackers known as ‘Energetic Bear‘ has compromised over 1,000 European and North American energy firms with a sophisticated cyber weapon, similar to Stuxnet, that gave hackers access to power plant control systems, said a security firm.
The group of hackers also known as ‘Dragonfly‘, an eastern European collective that has been active since at least 2011 and has been using phishing sites and Trojans to target energy supplier organizations in the US and several other countries, since 2013.
“Its primary goal appears to be espionage,”
claimed Symantec. The group appears to have the resources, size and
organization that no doubt suggest the involvement of government in the
malware campaign, said the firm.
According to the blog post published yesterday by security firm Symantec, Dragonfly group mainly targeted petroleum pipeline operators, electricity generation firms and other Industrial Control Systems (ICS) equipment providers for the energy sector in several companies.
Since 2013, Dragonfly has been targeting organizations that make use of Industrial Control Systems
(ICS) to manage electrical, water, oil, gas and data systems, which
affected almost 84 countries in a campaign spanning 18 months, although
most of the victims were located in the United States, Spain, France,
Italy, Germany, Turkey, and Poland.
“Dragonfly initially targeted defense and aviation companies in the US and Canada before shifting its focus mainly to US and European energy firms in early 2013,” reads the blog post. “Dragonfly bears the hallmarks of a state-sponsored operation, displaying a high degree of technical capability.”
Dragonfly used different techniques to
infect industrial software with Remote Access Trojan (RAT) in order to
access computer systems, including attaching malware to emails, websites
and third-party programs, giving it “the capability to mount sabotage operations that could have disrupted energy supplies across a number of European countries“.
“The attackers, known to Symantec as Dragonfly, managed to
compromise a number of strategically important organizations for spying
purposes,” Symantec said in a blog post. “If they had used the
sabotage capabilities open to them, (they) could have caused damage or
disruption to energy supplies in affected countries.”
Dragonfly used two hacking outfit, the first one is Backdoor.Oldrea which is used to gather system information, including the computers’ Outlook address book and a list of files and programs installed, and the second one is Trojan.Karagany which is used to upload stolen data, download new files and run them on infected computers, the firm said.
The Oldrea backdoor is also known as
Havex . In short, both Oldrea and Karagany malware families allow cyber
criminals to gain backdoor access of the infected systems, as well as to
exfiltrate confidential data and, download and install additional malware to the systems.
The first powerful malware of this
family is the famous Stuxnet Worm, which made international headlines in
2010 and was designed to sabotage the Iranian nuclear project. It
specifically targeted a uranium enrichment facility to make the
centrifuges spin out of control and cause physical damage to the plant
in Natanz, Iran and successfully disabled 1,000 centrifuges that the
Iranians were using to enrich uranium.