The Dragonfly hackers are back, and now they’re targeting the energy sector in the U.S. and Europe, warns Symantec.
The security software company said Wednesday that the perpetrators of a hacking campaign first identified in 2014 have been gathering intel for the past several months about critical energy infrastructure and gained access to power grid controls. The new attacks, dubbed “Dragonfly 2.0,” follow a series of attacks in late 2015 that deployed a combination of tactics — including phishing emails and Trojan software — and Symantec warns that this amounts to the possibility of cybersabotage.
“The Dragonfly group appears to be interested in both learning how energy facilities operate and also gaining access to operational systems themselves,” Symantec said in a blog post, “to the extent that the group now potentially has the ability to sabotage or gain control of these systems should it decide to do so.”
Over the past few years, cybersecurity researchers and experts have been sounding the alarm about hacking attacks on critical infrastructure. The Ukrainian power grid was targeted in 2015 and 2016 in successful (but limited) operations, and the U.S. government said in July that hackers are going after nuclear facilities.
But while the Dragonfly group and others may be interested in learning everything they can about Western energy infrastructure, that doesn’t mean they’ll do anything with that information.
“The malicious actors are very much interested in gaining intel which they may use later in an offensive capability,” Sergio Caltagirone, intelligence director at the cybersecurity firm Dragos, told VICE News. “That is very different from saying that they will do that.”
Hacking groups and governments — including the U.S. — routinely gather intelligence about the infrastructure in other countries, according to Caltagirone. Very rarely, however, do they do much with that intel.
“From a citizen’s perspective, we pay the military to prepare for war, which includes developing capacities that may not be used,” Caltagirone said. And in fact, the most successful deployment of a such a cyberattack came from the United States, with the Stuxnet assault on the Iranian nuclear program in 2009.
One element that Symantec highlighted in its Wednesday announcement was that Dragonfly operatives were taking screenshots, and naming some of them in a way so as to suggest that they could give them control of a particular system. Caltagirone suggested that this might not be such a bad thing.
“If they are in there taking screenshots of stuff, that means that they are preparing, and it doesn’t mean that they are ready to push the button [on a sabotage attack],” Caltagirone said. “Every piece of intel shows us that they are learning more.”