According to Homeland Security officials, state-sponsored Russian hackers compromised US utility networks in a campaign affecting ‘hundreds’ of victims.
The Wall Street Journal cites officials from the DHS (Department of Homeland Security) claiming that hackers reached the point they ‘could have thrown switches’ to cause significant disruption.
Officials linked the hacks to a state-sponsored hacking group previously known as Dragonfly or Energetic Bear.
Back in June 2014, cybersecurity experts from Symantec released a whitepaper on Dragonfly/Energetic Bear. They noted the hackers appear to have been in operation since at least 2011 and compromised ‘a number of strategically important organisations.’
Their initial focus was on defence and aviation companies in the US and Canada before shifting its focus mainly to US and European energy firms in early 2013.
Symantec explains the group’s usual attack method:
“The first phase of Dragonfly’s attacks consisted of the group sending malware in phishing emails to personnel in target firms.
In the second phase, the group added watering hole attacks to its offensive, compromising websites likely to be visited by those working in the energy sector in order to redirect them to websites hosting an exploit kit. The exploit kit in turn delivered malware to the victim’s computer.
The third phase of the campaign was the Trojanizing of legitimate software bundles belonging to three different ICS equipment manufacturers.”
The DHS says that systems were compromised using the credentials of actual employees, which sounds like the methods Symantec revealed Dragonfly has used in the past to compromise networks.
Due to this usage of legitimate credentials, the DHS believes some companies may not even be aware they’ve been compromised. As such, the attack may be ongoing and hackers may still have access to systems.