Russian-Born Malware Attacking Power Plants in United States, Europe

Energetic Bear Attack Chart 310x

Malware from the group “Energetic Bear” has been attacking utilities in the US and Europe for 18 months.

It’s all fun and games when Stuxnet is wreaking havoc on Iranian nuclear power facilities, but the jokes quickly dissolve when American and European utilities come under similar attack.

Symantec published a report today on Dragonfly, a group also known by the name Energetic Bear. This group is behind a wave of malware attacks on utility companies in Europe and the United States over the last 18 months, with most of the affected systems being in Spain, France, Italy, Germany, Turkey, Poland, and the U.S.

“Among the targets of Dragonfly were energy grid operators, major electricity generation firms, petroleum pipeline operators, and energy industry industrial equipment providers,” said Symantec on its Security Response blog.

Symantec goes on to accuse Russia of the nefarious deeds in every indirect way possible:

Dragonfly bears the hallmarks of a state-sponsored operation, displaying a high degree of technical capability. The group is able to mount attacks through multiple vectors and compromise numerous third party websites in the process. Dragonfly has targeted multiple organizations in the energy sector over a long period of time. Its current main motive appears to be cyberespionage, with potential for sabotage a definite secondary capability.

Analysis of the compilation timestamps on the malware used by the attackers indicate that the group mostly worked between Monday and Friday, with activity mainly concentrated in a nine-hour period that corresponded to a 9am to 6pm working day in the UTC +4 time zone. Based on this information, it is likely the attackers are based in Eastern Europe.

State-sponsored cyberattacks aren’t new threats by any means. Stuxnet was likely a collaboration between the U.S. and Israel to keep Iran’s nuclear programs (weaponized or not) crippled, while Chinese hackers have been targeting U.S. systems for years.

Symantec contacted those impacted by the malware prior to the blog publication, so hopefully the repair process is quick and largely painless.

About the author