State-sponsored attackers target energy companies

A group of attackers believed to be based in Eastern Europe have succeeded in compromising several strategically important organisations in the energy sector as part of an extensive cyber espionage campaign, security vendor Symantec said in a report [PDF].

Known alternatively as Dragonfly or Energetic Bear, the group has been active since 2011 and been targeting electricity generation and grid operators in the United States, Western Europe, Poland and Turkey.

According to Symantec, beyond spying on the companies in question Dragonfly would be able to sabotage compromised plants and installations by targeting energy sector suppliers that are smaller and less well protected.

Three industrial control systems equipment vendors were compromised by Dragonfly which inserted malware into their legitimate software, Symantec said. 

While the trojan software was discovered in all instances, Symantec said that several downloads of the compromised code had taken place this year and last. Some of the systems compromised are used to manage wind turbines, biogas plants and other energy infrastructure.

The Dragonfly operators utilise spearphishing techniques such as sending malware via emails that install remote access tools (RATs) on victims' machines.

Dragonfly also targeted vulnerable versions of Java and Microsoft's Internet Explorer web browser to compromise websites in watering-hole attacks.

Two types of malware have been used by Dragonfly, one of which Symantec said is custom written for the attackers.

Symantec said it has notified the organisations compromised by Dragonfly as well as national computer emergency response teams prior to publication of the report.