US, European energy firms targeted by shadowy cyber espionage group, experts warn

Energy firms in North America and Europe are facing a new wave of cyberattacks that could wreak havoc on their operations, according to security expert Symantec.

In a report released this week, Symantec explained that the group behind the attacks is known as Dragonfly. The cyber espionage group has been in operation since 2011 and, after a quiet period when it was closely scrutinized by security researchers, has re-emerged over the past two years.

The so-called “Dragonfly 2.0” campaign began in late 2015 and harnessed similar techniques to the earlier Dragonfly attacks. “The Dragonfly group appears to be interested in both learning how energy facilities operate and also gaining access to operational systems themselves, to the extent that the group now potentially has the ability to sabotage or gain control of these systems should it decide to do so,” explained Symantec, in its report.

The organizations targeted are not named in the report.


The company said that it has “strong indications” of attacker activity in organizations in the U.S., Turkey, and Switzerland, with “traces of activity” in organizations outside of those countries. “The U.S. and Turkey were also among the countries targeted by Dragonfly in its earlier campaign, though the focus on organizations in Turkey does appear to have increased dramatically in this more recent campaign,” it said.

Dragonfly 2.0 harnesses a host of techniques to attack energy firms, including malicious emails, so-called ‘watering hole attacks’ that use infected websites and ‘Trojanized’ software that can unleash malicious code on computer systems.

The earliest activity in the latest campaign was a malicious email campaign that sent emails disguised as an invitation to a New Year’s Eve party to energy sector targets in December 2015, according to Symantec.

Dragonfly 2.0 raises a very real risk of sabotage. “The original Dragonfly campaigns now appear to have been a more exploratory phase where the attackers were simply trying to gain access to the networks of targeted organizations,” explained Symantec. “The Dragonfly 2.0 campaigns show how the attackers may be entering into a new phase, with recent campaigns potentially providing them with access to operational systems, access that could be used for more disruptive purposes in future.”


Researchers cited the attackers’ use of screen captures as evidence of their plans to access energy networks.

The identity of the Dragonfly 2.0 attackers remains cloaked in mystery. “Some of the group’s activity appears to be aimed at making it more difficult to determine who precisely is behind it,” wrote Symantec, noting that the attackers rely heavily on generally available malware. Some code strings in the malware, however, were in Russian, although some were also in French. One of the languages may be a so-called “false flag” that aims to confuse any investigators looking to reveal the attackers’ identities.

Despite the clear threat posed by the group, Symantec noted that its customers are protected against Dragonfly attacks.

Experts agree that the report underlines the need for energy firms to keep their systems locked down. “The power grid penetration incidents are terrifying and really hit home the importance of having a solid cybersecurity strategy in place for organizations of all types,” explained Varun Badhwar, CEO of cloud security company RedLock, in a statement emailed to Fox News.


“What’s interesting here is the relatively unsophisticated methods the hacking group has used,” added Leigh-Anne Galloway, cyber security resilience lead at security specialist Positive Technologies. Galloway noted that attacks on the Supervisory Control and Data Acquisition (SCADA) systems used to manage power plants have traditionally used zero-day, or previously unknown, vulnerabilities. “In this case though, they’ve chosen to go for the older, but most effective methods of phishing and watering holes to get in. Of course, one the attackers are in, they would then still carry out exploits. But phishing is an effective first stage.”

In its report, Symantec also pointed to the cyber attacks that disrupted Ukraine’s power network in 2015 and 2016.

North Korea recently threatened to hit the U.S. with an electromagnetic pulse, which experts warn could cause disruption to the country’s power grids.

Follow James Rogers on Twitter @jamesjrogers