In the aftermath of Hurricanes Irma and Harvey, one of the main concerns for the U.S. government is how to ensure energy grids stay running during the next natural disaster. However, there is another pressing issue government agencies have to worry about: cyber attacks on critical infrastructure.
Security firm Symantec has found that hackers who conducted a series of recent cyber attacks on energy companies in the U.S. and Europe were able to gain access to power grid operations. These access controls have the potential to allow the hackers to easily cause blackouts in American towns.
The hacking group, which calls itself Dragonfly 2.0, targeted energy companies earlier this year. In more than 20 of their hacking attempts, the cyber attackers were able to gain access to the companies’ networks. In some of these attacks, hackers were able to gain operational access, which allowed them control of the interfaces that power company engineers use to send commands. These commands control equipment like circuit breakers, which can stop electricity from reaching buildings. The hackers were able to gain access to these commands at power companies based in the U.S. and in Turkey.
One method that the hackers used to gain access to the energy grid was a phishing campaign. The hackers used the Phishery toolkit to send a malicious Microsoft Word document to their targets. The Word document automatically downloaded a template from a server controlled by the hackers, and the server asked the victim’s computer for their SMB credentials. Hackers could then use these credentials to explore around a company’s network. The hackers were then able to backdoors within the energy company’s networks, and they also took screenshots of the control panels that regulate electricity flow.
Researchers believe that these hackers are nation-sponsored because they are collecting intelligence, but they cannot conclude where the hackers are based. Some security firms believe that these hackers are based in Russia, since the text string in the code the hackers use is in both Russian and French. Researchers suspect that the group is slowly gathering intelligence on how the energy companies operate.
Dragonfly 2.0 established operations for these attacks in 2015, but ramped up their attacks on power grids in Turkey, Switzerland, and the U.S. in 2017. The Dragonfly group originally formed in 2011, but stopped conducting attacks in 2014 after it was exposed. In 2011, the group’s mission was to place backdoors in powerplants based in the U.S. and Europe. The most infamous incident of a cyber attack on critical infrastructure occurred in Ukraine. Back in December 2015, a cyber attack on a power center outside of Kiev caused over 200,000 people in the capital to lose power for six hours.
As the threat of an attack on critical infrastructure becomes more alarming, companies can take the following measures to secure their networks from cyber attackers:
Use application whitelisting: Application whitelisting ensures that only approved third-party software can run on company networks. IT departments can use application whitelisting to prevent malware from being installed onto company devices through phishing emails.