Hacking the power grid is one of the holy grails of hacker prowess. The first real power outage caused by hackers occurred near Kiev in 2015. Now researchers say that a malicious group has gained unprecedented operational access to American power company systems, and experts worry that the ability to cause a blackout at will could be in the hands of unknown actors.
The seemingly local cyberattack that cut power to part of Ukraine's capital, Kiev, last December could have been a test run. And security researchers now say the malware believed to have caused the blackout is actually modular, mostly automated and highly adaptable. That means it doesn't just work on electrical grids in Ukraine. This dangerous cyberweapon might work in Sydney or Paris or New York — anywhere really.
On Wednesday, the researchers at Symantec published a report that outlines the broad details of their investigation into the actions of a group they're calling "Dragonfly 2.0". Symantec claims to have evidence that in over 20 cases the hackers gained access to the targeted power company networks. In some cases in the US, they managed to secure access to the interfaces that are used to control the power grid's equipment. As security researcher John Hultquist points out, the group "has not demonstrated a capability to manipulate the systems they are after", but it does appear that this is a reconnaissance mission designed to prepare for an attack.
Symantec's research is connecting this attack with the Dragonfly group that it reported on in 2014 and is believed to have been operating since at least 2011. As in the previous case, the group seems to be gradually gathering intelligence on these energy companies' operations and testing the waters on how far they can penetrate the system. Dragonfly 2.0 is believed to have begun its work around December of 2015, stepping up operations in the US, Switzerland and Turkey in the first half of 2017. "There's a difference between being a step away from conducting sabotage and actually being in a position to conduct sabotage," Eric Chien, a Symantec security analyst, tells Wired. In this case, Chein says that the group was able to gain that strategic position.
These hackers are acting at a high level of operation, but they aren't reinventing the wheel. Tried and true spear phishing and watering hole techniques were used to trick employees into revealing usernames and passwords that gave access to restricted portions of the electrical system. Ars Technica outlines some of the hackers' methods:
One tactic involved using the publicly available Phishery toolkit to send targets a Microsoft Word document that was programmed to download a template from a predetermined server controlled by the attackers. The server would then query the downloading computer for SMB credentials that many corporate networks use to restrict access to verified users. In many cases, the downloading computers would respond and in the process provide the attackers with the user name and a cryptographic hash to the targeted network. Researchers with Cisco Systems described the so-called template injection attack in July. Once Dragonfly used the password to breach the company's corporate network, the hackers would then traverse to the operational network.
Once inside, the group was able to install backdoors that aligned with the Trojans used by the first Dragonfly operation. There was also forensic evidence that, in the most successful cases, the attackers were able to take screenshots of the control panels that send commands to circuit breakers that regulate the flow of electricity. Symantec said that it has worked with the companies that were affected to remove any malicious software, but it will be essential for personnel to update their login credentials. It also has warned over 100 energy companies about the techniques that were used and could potentially have compromised systems.
Symantec isn't revealing everything it learned about the attackers or the names of their targets. It also notes that common tools were used and known vulnerabilities were exploited. The link to the first round of Dragonfly attacks is primarily based on two pieces of malware that both attacks share, methods of intrusion, and the choice of energy companies as targets. Other aliases that have been tied to this group include Energetic Bear, Crouching Yeti and Koala. The US government connected the Dragonfly attacks to the Russian government in its December cybersecurity report about US election-related hacking. But Symantec is making no claims about the country of origin and writes that Russian and French languages were used, one or both of which could be false flags.
The fact that these operations seem to be focused on gathering intelligence does give a strong signal that a government actor could be responsible. "What it plans to do with all this intelligence has yet to become clear, but its capabilities do extend to materially disrupting targeted organisations should it choose to do so," Symantec wrote in its report. "What is clear is that Dragonfly is a highly experienced threat actor, capable of compromising numerous organisations, stealing information, and gaining access to key systems."
Two factors should relieve some worries. One is that America's decentralised power grid would likely be able to recover from an attack pretty quickly. A 2016 hack on the power grid in Kiev only took the system down for an hour. The second piece of good news is that the hackers would need to deploy a piece of custom malware such as the "Crash Override" code that was used to sabotage systems in Kiev. Symantec isn't reporting that any sort of tools that could actually take control of the system have been identified. It appears that in this case, the group is still gathering the intel it needs. As Robert M. Lee, founder of security firm Dragos pointed out on Twitter, the information gathering cited in the Symantec report is "exactly what you'd want to collect (and engineering documents which Symantec has said were stolen) to design attacks".
In the meantime, Symantec has outlined defensive steps for electric companies to take and US cyber operations will need to take these developments into account. Whoever this group is, they're making progress in their mission and they seem quite patient.