Russian-Born Malware Attacking Power Plants in United States, Europe

Russian-Born Malware Attacking Power Plants in United States, Europe

Energetic Bear Attack Chart 310x

Malware from the group "Energetic Bear" has been attacking utilities in the US and Europe for 18 months.

It's all fun and games when Stuxnet is wreaking havoc on Iranian nuclear power facilities, but the jokes quickly dissolve when American and European utilities come under similar attack.

Symantec published a report today on Dragonfly, a group also known by the name Energetic Bear. This group is behind a wave of malware attacks on utility companies in Europe and the United States over the last 18 months, with most of the affected systems being in Spain, France, Italy, Germany, Turkey, Poland, and the U.S.

"Among the targets of Dragonfly were energy grid operators, major electricity generation firms, petroleum pipeline operators, and energy industry industrial equipment providers," said Symantec on its Security Response blog.

Symantec goes on to accuse Russia of the nefarious deeds in every indirect way possible:

Dragonfly bears the hallmarks of a state-sponsored operation, displaying a high degree of technical capability. The group is able to mount attacks through multiple vectors and compromise numerous third party websites in the process. Dragonfly has targeted multiple organizations in the energy sector over a long period of time. Its current main motive appears to be cyberespionage, with potential for sabotage a definite secondary capability.

Analysis of the compilation timestamps on the malware used by the attackers indicate that the group mostly worked between Monday and Friday, with activity mainly concentrated in a nine-hour period that corresponded to a 9am to 6pm working day in the UTC +4 time zone. Based on this information, it is likely the attackers are based in Eastern Europe.

State-sponsored cyberattacks aren't new threats by any means. Stuxnet was likely a collaboration between the U.S. and Israel to keep Iran's nuclear programs (weaponized or not) crippled, while Chinese hackers have been targeting U.S. systems for years.

Symantec contacted those impacted by the malware prior to the blog publication, so hopefully the repair process is quick and largely painless.

Permalink

96% on allied targets and 4% friendly fire. Not bad, I would have expected at least 20% of the attacks to have been on their own allies (needing to keep them in line and all), but 4%? At that low level I'm actually starting to think the Serbian-Russian de-facto alliance is over (then again, them joining the EU is in the "only a matter of time" category anyway).

I know I usually give Russia's government and its organizations plenty of flak (and I take none of it back), but props to this group pulling this off.

Your move America, let's hope you don't disappoint.

So it's more or less a Three-way cyber-war ongoing.
A cold cyber-war.

Time to invest in serious hard and software security in time for the first cyber world war.

My problem now is I just don't trust the governments or security companies to tell the truth.
They can just make up reports that this stuff is happening and you can choose to believe or not believe them.

They're painting the narrative that Russia and China is engaged in cyberwar against the west so they can have public support when they also engage in cyberwar against the east. The problem here is, unlike real war, we can't see it happening.

Does this seem like something China and Russia would do? Yes. But I simply have no reason to believe large security firms or the US government anymore. I mean, the reason for them pinning Russia is the fucking compilation timestamps. I used to be the build master at a large company and we did auto builds at midnight so they would be ready the next morning that would have fallen in the 9am - 6pm timeslot in the UTC +4 timezone, but trust me the software wasn't Russian.

Weaver:

They're painting the narrative that Russia and China is engaged in cyberwar against the west so they can have public support when they also engage in cyberwar against the east. The problem here is, unlike real war, we can't see it happening.

I think you are assuming they feel the need for support from anyone, they can do whatever and classify and de-classify as they see fit. The Stuxnet attacks were well underway before they were common knowledge. And even that wasn't direct compared to what the Mossad did. I stand to be corrected on this but they were implicated in the suspicious deaths of a few Iranian scientists as far as I know.

Considering how often the US spys, hacks and infects Russian and Chinese systems I can't blame them for returning the favour. You can't walk upto someone, punch them in the face then cry fowl when they knock you on your ass America.

Holy cow, what did Spain do to get the biggest chunk of the attacks?

lacktheknack:
Holy cow, what did Spain do to get the biggest chunk of the attacks?

They probably sent the money to that nice Nigerian price they are related to.

Weaver:
My problem now is I just don't trust the governments or security companies to tell the truth.
They can just make up reports that this stuff is happening and you can choose to believe or not believe them.

They're painting the narrative that Russia and China is engaged in cyberwar against the west so they can have public support when they also engage in cyberwar against the east. The problem here is, unlike real war, we can't see it happening.

Does this seem like something China and Russia would do? Yes. But I simply have no reason to believe large security firms or the US government anymore. I mean, the reason for them pinning Russia is the fucking compilation timestamps. I used to be the build master at a large company and we did auto builds at midnight so they would be ready the next morning that would have fallen in the 9am - 6pm timeslot in the UTC +4 timezone, but trust me the software wasn't Russian.

If these organizations are stupid enough to base it off time stamps, this might be why hackers would do it at that time in the first place, to cover their tracks

Suspiciously not targeted:
Military Systems
Intelligence Systems
Government Systems
Any other non-civilian systems

State sanctioned cyberterrorism. You stay classy, Moscow.

You reap what you sow. Who's bright idea it was in the first place to start this pissing contest with Russia? Russia is notoriously "eye for an eye" country, you are surprised there's a response for the economical sanctions?

kuolonen:
You reap what you sow. Who's bright idea it was in the first place to start this pissing contest with Russia? Russia is notoriously "eye for an eye" country, you are surprised there's a response for the economical sanctions?

It was Russia's idea to start this pissing contest with Russia. You forget that the sanctions were an original response.

THIS is how "an eye for an eye leaves the whole world blind".

Вчера болтал с Владимиром Путиным. Вовка (Владимир) жалуется что всю неделю сидел за компьютером по 12 часов в день. Говорит: "Глаза сильно устают от этого дела."

Yesterday chatted with Vladimir Putin. Vova (Vladimir) complains that the whole week sitting at a computer 12 hours a day. Says: "The eyes very tired of this case."

The headline of the article is definitely misleading. If the article only states that the attack -might- have been from Eastern Europe, it doesn't straight away mean it was Russia.
The nation itself has done dodgy moves, regarding Ukraine and all of that stuff, but no need to scream wolf when there isn't one. I am from Finland and my country could very well be the culprit as well, though I doubt it. Scrap the broad perspective and focus on the details.
Hack-attacks have been very inclusive so to speak, so most of the time they can be confined within certain groups and most of the time it's just childish "how far can we go" -scams by neckbeards that only serve as a detriment for everyone. To sum this up, I hate everyone who thinks that they'll get some meaning for their lives in making others' lives miserable.

Attack is happening for 18 months. However ironically just yesterday we had a power outage and now this article shows up. perfect timing escapist.

Weaver:
My problem now is I just don't trust the governments or security companies to tell the truth.
They can just make up reports that this stuff is happening and you can choose to believe or not believe them.

Say what you want about security companies but Symantec is one of the oldest and most reputable fighters against malware. they seem to be right on the money when they do their reports which ends up being more or less confirmed by smaller ones as they collect thier own data. im not saying its failproof, merely "if you cant trust these guys, you cant trust anyone".

Daverson:
Suspiciously not targeted:
Military Systems
Intelligence Systems
Government Systems
Any other non-civilian systems

State sanctioned cyberterrorism. You stay classy, Moscow.

Different systems have different security, and thus by streamlining your malware to hit a certain target its going to be effective against it. maybe some losoe strians have gotten to those systems you list and simply were blocked due to different security measures? I mean military uses multiple network systems for classifed data specifically so somone bringing in a virus could not infect the classified networks even if infection spreads. doubt a civilian power plant bothers to implement so much security for their network.

Capcha: Duracell What is it?

yes, capcha, i know i should stock up on batteries.

Wow, the United States I get but what is up with all the attacks on Spain.

RicoADF:
Considering how often the US spys, hacks and infects Russian and Chinese systems I can't blame them for returning the favour. You can't walk upto someone, punch them in the face then cry fowl when they knock you on your ass America.

Pretty sure Russia and China do just as much spying and hacking regardless of provocation from the US.

5 bucks on Russia actually seriously laughing at dead people if the malware manages to Chernobyl a few of these countries.

I mean, empathy is like, dead last in their list of priorities.

JoshuaMadoc:
5 bucks on Russia actually seriously laughing at dead people if the malware manages to Chernobyl a few of these countries.

I mean, empathy is like, dead last in their list of priorities.

It'd be easier to break into the nuclear power plants and steal the actual reactor than to do that.

Vendor-Lazarus:
So it's more or less a Three-way cyber-war ongoing.
A cold cyber-war.

Time to invest in serious hard and software security in time for the first cyber world war.

Guh... erk... can't... not...

YOU WILL BE UPGRADED.

cough cough...

Right.

I'm sure that there will be some terse words from the US government, followed by nothing.

Vendor-Lazarus:
So it's more or less a Three-way cyber-war ongoing.

No, not even close. There are around 200 countries in the world (depending on exactly how you count them). Every single one that owns at least one computer is engaging in some kind of computer-related espionage. The only thing at all interesting about this sort of report is how many people always seem to be surprised that it's happening.

Daverson:
Suspiciously not targeted:
Military Systems
Intelligence Systems
Government Systems
Any other non-civilian systems

State sanctioned cyberterrorism. You stay classy, Moscow.

What on Earth makes you think they're not being targeted? Of course they are. Just because it's not by this particular malware or this particular group doesn't mean it's not happening at all.

I wonder if the recent Truecrypt debacle was U.S's NSA trying to roadblock *********["Message found in contravention of National Security, scanning thread for subversive content"]

Braedan:

Vendor-Lazarus:
Snip

Guh... erk... can't... not...

YOU WILL BE UPGRADED.

..Snip..

I would love to be.. UPGRADED! Hrrmm..Not forcibly though.

The only way to win is become it. Long Live Transhumanism!

(btw, is there a story behind that picture? *interest piqued*)

Kahani:

Vendor-Lazarus:
So it's more or less a Three-way cyber-war ongoing.

No, not even close. There are around 200 countries in the world (depending on exactly how you count them). Every single one that owns at least one computer is engaging in some kind of computer-related espionage. The only thing at all interesting about this sort of report is how many people always seem to be surprised that it's happening.

Of course, every state in existence performs some sort of espionage or another.
I was referring to how the three super powers carry out infrastructure and network related sabotage.
Actual sabotage, as in trying to damage some assets of the opposing side.
I'm sure more countries do this as well, my emphasis was more to compare it to the cold war days.
They are after all super powers. Well, more so than other countries.
Japan could probably do some terrifying internet stuff if they wanted.

lacktheknack:

kuolonen:
You reap what you sow. Who's bright idea it was in the first place to start this pissing contest with Russia? Russia is notoriously "eye for an eye" country, you are surprised there's a response for the economical sanctions?

It was Russia's idea to start this pissing contest with Russia. You forget that the sanctions were an original response.

THIS is how "an eye for an eye leaves the whole world blind".

Well first response was from Russia to the EU making first by starting to make steps to make Ukraine part of EU. This put a time limit to the old Russian problem of "what about that Crimea that got swindled from us during the Soviet era?" which lead the aforementioned response of using the corrupt Ukraine government to end those talks which lead to other stuff.

Sanctions were not an original response they were an escalation of already an already begun conflict. But it will be so fun to see how far the powers that be will take this pissing contest. Maybe we get back to good ol' days of Cold war? Or maybe they'll just skip that part and just begin a nuclear war.

kuolonen:

lacktheknack:

kuolonen:
You reap what you sow. Who's bright idea it was in the first place to start this pissing contest with Russia? Russia is notoriously "eye for an eye" country, you are surprised there's a response for the economical sanctions?

It was Russia's idea to start this pissing contest with Russia. You forget that the sanctions were an original response.

THIS is how "an eye for an eye leaves the whole world blind".

Well first response was from Russia to the EU making first by starting to make steps to make Ukraine part of EU. This put a time limit to the old Russian problem of "what about that Crimea that got swindled from us during the Soviet era?" which lead the aforementioned response of using the corrupt Ukraine government to end those talks which lead to other stuff.

Sanctions were not an original response they were an escalation of already an already begun conflict. But it will be so fun to see how far the powers that be will take this pissing contest. Maybe we get back to good ol' days of Cold war? Or maybe they'll just skip that part and just begin a nuclear war.

It doesn't matter whether or not Russia got swindled out of Crimea. As of today, Ukraine is its own autonomous nation that gets to make its own damn decisions, not some table full of stuff for other nations to bicker over who gets what. If Ukraine wants to join the EU, they ought to be allowed to. If Crimea wanted to return to Russia, that's the people of Crimea's decision, and Russia was a hundred percent in the wrong to invade it to take it back. They were also wrong to completely block out talks between EU and Ukraine, because it's none of their stinking business. End of.

If we're going to justify the invasion and illegal land-grabs of a populated country because another country was "swindled" out of it at one point in the past, then every non-aboriginal in North America is pretty damn screwed, aren't they?

Zetatrain:

Pretty sure Russia and China do just as much spying and hacking regardless of provocation from the US.

With the US it's more or less how fucking hypocritical they are about it. For instance, nobody in China aside from people living under rocks are under any illusion that the Chinese government are corrupt, spy on innocent people, etc. etc. etc.

The US however does the same thing, however- to make it worse they have the gall to point at other countries like China doing it and cry "outrage" and oppressive, all the while doing the same thing to their own public in secret, and a tad bit worse.

It's like seeing an honor student at school shaming bullies for picking on the weaker and manipulating everyone else, when in secret said honor student not only does the same thing behind the backs of everybody, but also black mails on the side.

Why the hell would a power plant be connected to the internet? Seems like elementary safety procedure to have all such systems in a completely isolated internal network.

I was under the impression that all our power grids were on their own private networks that had no wireless connection to the outside, thus making them impossible to penetrate unless you were actually connected to the machine itself. And if it's not, why are our critical infrastructure computers connected to a network that can be accessed by unauthorized people? It seems like there'd be really simple solutions to that sort of risk.
Unless I've badly misunderstood what I've read on the subject.

Vendor-Lazarus:
I was referring to how the three super powers carry out infrastructure and network related sabotage.
Actual sabotage, as in trying to damage some assets of the opposing side.

Do you have evidence to back this up? As the article explicitly notes, the malware in question here is about espionage, not sabotage. Every state is always going to be spying on everyone else, but very few have any incentive to actively engage in sabotage most of the time. Getting caught spying results in little more than a bit of embarrassment and some angry letters. Getting caught sabotaging things would result in a much stronger reaction in return for essentially no gain. Unless you're at war with someone, taking down a power plant or two achieves nothing other than pissing people off, so it's just not worth it. Even during the cold war it didn't really happen much, because while spying was accepted as inevitable, sabotage could easily have been considered an act of war.

Stuxnet was something of special case, since it involved a very good reason (or at least what was considered a very good reason by those involved) and a target that had essentially zero possibility of any meaningful retaliation. Superpowers taking more serious actions against less powerful nations who are already the subject of various sanctions is very different from superpowers attacking each other.

I suppose it's overly-optimistic to hope that the countries in question have learned a lesson in computer security from this. Seriously, though, people have been stating the bloody obvious for years that things like power plants shouldn't be on the Internet. Should we be surprised that this happened? No. We should be surprised it didn't happen sooner.

Captcha: diddly-squat
Yes, I'm sure this is how much we're likely to see them learn from this.

Kahani:

Vendor-Lazarus:
I was referring to how the three super powers carry out infrastructure and network related sabotage.
Actual sabotage, as in trying to damage some assets of the opposing side.

Do you have evidence to back this up? As the article explicitly notes, the malware in question here is about espionage, not sabotage. ..SNIP..

Devin Connors:

Symantec goes on to accuse Russia of the nefarious deeds in every indirect way possible:

Dragonfly bears the hallmarks of a state-sponsored operation, displaying a high degree of technical capability. The group is able to mount attacks through multiple vectors and compromise numerous third party websites in the process. Dragonfly has targeted multiple organizations in the energy sector over a long period of time. Its current main motive appears to be cyberespionage, with potential for sabotage a definite secondary capability.

I must confess that I have not read the entire article, but it seems possible from the quote in the OP. (bolded for emphasis)

Since it's known that espionage attacks do occur, I just sort of ran with it. My earlier posts was done in a half-joking way.
My apologies for the confusion.

Vendor-Lazarus:
I must confess that I have not read the entire article, but it seems possible from the quote in the OP. (bolded for emphasis)

Since it's known that espionage attacks do occur, I just sort of ran with it. My earlier posts was done in a half-joking way.
My apologies for the confusion.

Yeah, there's always going to be the potential for sabotage once someone has inside access to a system. It's just that the consequences almost always far outweigh any possible benefit so there's usually very little incentive to actually take advantage of that potential. It's still something security bods are going to worry about, since obviously they don't want to get caught with their pants down if someone actually does decide to start war, but for the most part there's going to be very little active sabotage happening even in places where the possibility exists.

 

Reply to Thread

Log in or Register to Comment
Have an account? Login below:
With Facebook:Login With Facebook
or
Username:  
Password:  
  
Not registered? To sign up for an account with The Escapist:
Register With Facebook
Register With Facebook
or
Register for a free account here