Hacker group linked to Russia closing in on US power companies: Symantec
07 Sep 2017
A hacker group allegedly tied to the Russian government has acquired an unprecedented level of access to companies supplying power to the US power grid, according to a cybersecurity firm.
According to California-based Symantec, which provides cybersecurity services and worldwide research against online threats, the group, named Dragonfly 2.0, may have compromised over a dozen US companies in recent months.
Dragonfly which also goes by the name Crouching Yeti, or Energetic Bear, was an established hacker group that attacked energy sector targets around the world from 2011 until 2014, after which it went quiet following the exposure of its tactics by public research. Researchers at Symantec do not name Russia specifically as the culprit, though they maintain it is state-sponsored attack. Firms like CrowdStrike and FireEy say the group is connected to the Russian government.
''This is the first time we've seen this scale, this aggressiveness, and this level of penetration in the US, for sure,'' Eric Chien, technical director of Symantec's Security Technology & Response Division, told BuzzFeed News.
''What we're seeing is them getting into dozens, as far as we know, likely more, of organisations who are basically energy companies. We're talking about organisations who are supplying power to the power grid,'' Chien said.
"What's most concerning is we now see them intruding on operational networks of energy companies," Chien, technical director of Symantec's security response and technology division, told Ars Technica. "Before, we were talking about them being one step away, and what we see now is that they are potentially in those networks and are zero steps away. There are no more technical hurdles for them to jump over."
The escalation is seen as serious given that operational networks can often wield significant influence over the stability of the electric grid they're responsible for.
The report points out that removing malware from infected networks might not be enough to counter the threat given that in many cases the attackers have the credentials and other data needed to regain control.