Power Plant
Symantec is warning hackers gave gained access to energy companies and could attack power grids. Benita5/Pixabay

Hackers have targeted and successfully penetrated the operational networks of a number of energy companies in the United States and Europe, putting core aspects of power grids at risk, security researchers warn.

Security firm Symantec reported the intrusions, which the researchers attributed to a state-sponsored hacked group known as Dragonfly. The hacking collective has been targeting energy companies since at least 2011 and has made strides in the type of access the group has been able to achieve in the last year.

The report from Symantec marks the result of an escalation in attacks carried out by Dragonfly. The group reportedly began a campaign against industrial firms in 2015 and ramped up its efforts in April of this year, creating a new and troubling scenario that the hackers already have access and are simply lying in wait to carry out their attack.

“There's a key element of advanced persistent threat, and that is the word persistent,” Ben Johnson, a former NSA computer scientist and the chief technology officer and co-founder of Obsidian Security, told International Business Times.

“Sophisticated actors are initially after one thing: access. Once they obtain it, their primary goal is usually to make sure long-term access can be maintained.” Johnson suggested such access could be maintained by creating new user accounts or stealing existing user credentials or creating covert backdoors and implants that allow for continuous access for the malicious actors.

Newsweek is hosting a Structure Security Event in San Francisco, Sept. 26-27. Newsweek Media Group

Symantec reported the hacking group developed trojanized versions of standard Windows applications that were used to infiltrate the vital systems.

The hacking group also delivered a trojan to targeted firms through malicious downloads disguised as an update to Adobe Flash Player. The updates may have been the result of social engineering, in which the attackers would contact the target and convince them an update was needed. The attackers would then send the target to a URL that hosts the disguised malicious file.

According to the security firm, dozens of utility companies in the U.S. were targeted by Dragonfly and a handful of them have been compromised on an operational level. Companies in Turkey and Switzerland may have also been penetrated.

“This attack on global power grids did not require technological sophistication – just a strong understanding of the people the attackers were targeting," Josh Douglas, chief strategy officer for cyber services at U.S. defense contractor Raytheon, told IBT. "It also shows that cyber attacks happen don’t always happen instantly, but instead can take years to unfold."

Eric Chien, a cyber security researcher at Symantec, told Reuters the only thing preventing “sabotage of the power grid” at this point is motivation, meaning an attack be carried out as soon as the hackers—or the nation backing the group—decide the time is right.

Johnson said once attackers find their way into a system, they become difficult to stop because they “literally live off the land and blend in—they become an employee.” He warned that once a system is breached, “it's hard to have faith in the integrity of any aspect of that system.”

Johnson said better IT hygiene can offer some hope for targeted companies, but utilities and energy firms "need to know they are a prime target in the ever growing cyber war preparations and will be continuously probed and bombarded 24/7.”

Thus far, there has not been any attribution of the attack to a particular state actor. While Symantec noted strings of code used by Dragonfly were in Russian, it was not evidence enough to finger Russia as the culprit. The attack also used French code, suggesting the malicious actors may be false indicators designed to shield the identity of the attackers.

“What is clear is that Dragonfly is a highly experienced threat actor, capable of compromising numerous organizations, stealing information, and gaining access to key systems,” Symantec said in its report. “What it plans to do with all this intelligence has yet to become clear, but its capabilities do extend to materially disrupting targeted organizations should it choose to do so.”

Douglas said attributes of the attack are "similar to those perpetrated by nation-states with deep pockets and long-term goals." He said the attacker's use of open-source software and proprietary malware suggests "they have invested strongly in their capabilities – some of which we have yet to see – and that we may not yet know the full extent of this attack.”

The report from Symantec comes just weeks after the National Infrastructure Advisory Council (NIAC), a group commissioned by the National Security Council (NSC) to review more the federal government’s capability to secure infrastructure against targeted cyber attacks, warned of the possibility of a “9/11-level cyber-attack” against critical infrastructure in the U.S.