U.S. and European energy assets have reportedly been suffering compromise from what appears to be a state-sponsored collective of hackers, security firm Symantec revealed in a June 30 release. So far, the hackers have elected not to use all of the tools at their disposal to inflict serious damage.
The group of cyberattackers has been identified as 'Dragonfly' by Symantec. It's also known as Energetic Bear by other vendors.
The sophistication of Dragonfly's technical abilities indicated to Symantec the group could be a state-sponsored organization, adding that its activities suggested the hackers operated somewhere in Eastern Europe.
"The group is able to mount attacks through multiple vectors and compromise numerous third-party websites in the process," stated Symantec. "Dragonfly has targeted multiple organizations in the energy sector over a long period of time. Its current main motive appears to be cyberespionage, with potential for sabotage a definite secondary capability."
Dragonfly was said by Symantec to have unleashed 27 percent of its attacks on Spain, 24 percent on the United States, 9 percent on France and 8 percent on Italy. The remaining 32 percent of the attacks hit Germany, Turkey, Poland, Romania, Greece and Serbia.
"Dragonfly initially targeted defense and aviation companies in the U.S. and Canada before shifting its focus mainly to U.S. and European energy firms in early 2013," Symantec said. "The campaign against the European and American energy sector quickly expanded in scope."
Dragonfly's reported mode of operation entails deploying Trojans, fitted with remote access tools, into email attachments and websites commonly frequented by the personnel of energy organizations. Symantec stated that Dragonfly stepped up its campaign of attacks in September of 2013, using exploit kits on website landing pages to identify a user's system and employing a second kit to analyze the individual's computer for the best route of infiltration.
Dragonfly compromised multiple vendors of industrial control system (ICS) equipment in its largest known attack campaign, according to Symantec.
After infecting systems of the equipment providers with remote access tools, the companies were reportedly guided through the installation of malware when they sought out legitimate updates. The intrusion gave hackers access to the networks of the equipment vendors, leaving the ICS equipment vulnerable to the will of the hackers.
To counteract the blows from Dragonfly and other hacker groups, Symantec included a number of detection and intrusion-prevention tools in its June 30 blog post. The software combats several of the viruses Dragonfly has used in the past.