A Dragonfly that stings
For the second time this year, evidence has surfaced of a serious potential threat to electrical and industrial systems from cyberattack. In June, a computer worm spread across the globe that caused systems that were managing oil companies, airline flights and more to lock up, and there was a report that hackers were penetrating a company operating nuclear power plants. Now, a security firm, Symantec, has discovered a wave of malware called Dragonfly in Europe and the United States that could put bad actors in position to switch off the lights.
The firm said that malware by that name had been around since 2011 but was dormant for a while before reemerging — Symantec calls it Dragonfly 2.0 — with a “distinct increase in activity” this year. The attackers are using familiar tools, such as “spearphishing” emails with attachments reeking with dangerous code, including an attachment resembling a benign invitation to a New Year’s Eve party.
Once opened, however, the attachments would leak the victims’ network credentials to a server outside the company. The attackers also used other measures: “watering holes,” fake websites designed to attract visitors with common interests; “Trojans,” which look like legitimate software but contain malicious code; and fake warnings to update Adobe Flash Player, which, when activated, would instead install malware.
This gave the attackers access to networks to gather intelligence, plot moredestructive actions and steal additional credentials. The ability of a computer worm to trigger physical destruction is not fantasy, amply demonstrated by the Stuxnet malware used by the United States and Israel to interfere with centrifuge machines that were part of Iran’s nuclear weapons program.
According to Symantec, the bad actors behind Dragonfly 2.0 have entered electric utility networks in Turkey, Switzerland and the United States numerous times and they “may be entering into a new phase,” exploring how they can throw the switches on operational systems. What Symantec found most concerning was that the intruders were taking screenshots of the layout of the operational systems — a road map for a possible return.
The company said the architects of the Dragonfly campaign are an “accomplished attack group” and highly experienced but did not otherwise identify them. However, it is known that Ukraine has suffered power blackouts caused by cyberattacks that it blames on Russia. Could Russia also be probing the U.S. electrical grid? Or another nation?
“Wired” magazine quoted Eric Chien of Symantec as saying of the latest discovery, “There’s a difference between being a step away from conducting sabotage and actually being in a position to conduct sabotage. . . . We’re now talking about on-the-ground technical evidence this could happen in the U.S., and there’s nothing left standing in the way except the motivation of some actor out in the world.”
Electric and industrial operators in the United States have been building defenses against cyberattacks for some time. But the latest disclosure should serve as yet another alarm that cyberattacks and intrusions are not just about stealing data or emails. They can lead to real-world damage.