US warns of cyber attacks on energy firms

The US government is urging energy companies to check computer operating systems to determine whether they are infected with malicious software that could make them vulnerable to attacks from a Russian hacking group.

The Department of Homeland Security's Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) issued the request in light of reports from cyber-security outfits that have traced the activity of a group known as "Energetic Bear" or "Dragonfly".

The group was behind a campaign to infect energy and industrial firms around the world with malware known as the Havex Trojan, according to researchers with F-Secure of Finland and Symantec of the US.

The department advised potentially targeted companies to tighten security and check to see if their systems had been infected.

"ICS-CERT strongly recommends that organisations check their network logs for activity associated with this campaign," the department said in an alert on its website. "Any organisation experiencing activity related to this report should preserve available evidence for forensic analysis and future law enforcement purposes."

The malware has likely only been used for spying thus far, the researchers said, but it could be used for sabotage.

The hacker group primarily targets the energy sector and related industries, Symantec said in a report. The group has been around since at least 2011, but ramped up its attacks on the energy sector in 2013.

No specific companies have been identified as attacked. Geographical areas most targeted were Spain and the US, respectively, each with between 70 and 80 attacks, according to Symantec.

The group has used a variety of methods of attack, including through "spear-phishing" e-mail campaigns and "trojanised" software.

More recently, Dragonfly/Energetic Bear has favoured so-called "watering hole attacks". In these attacks, hackers compromise energy-related websites such as supplier sites or bulletin boards, which redirect visitors to another compromised legitimate website, enable the attackers to drop the malicious software onto the unsuspecting user's hard drive.

"The fact that the attackers compromised multiple legitimate websites for each stage of the operation is further evidence that the group has strong technical capabilities," Symantec said.

"Given the size of some of its targets, the group found a 'soft underbelly' by compromising their suppliers, which are invariably smaller, less protected companies."

Newsletter signup

User

Become an Upstream member!

Membership includes a subscription to our weekly newspaper providing in-depth news from the energy industry, plus full-access to this site and its archives. Still not convinced? Try our free trial.

Already a member?

Login