Energy companies hit by cyberattack from Russia-linked group

Sam Jones
Monday, 30 Jun 2014 | 11:00 AM ETFinancial Times

The industrial control systems of hundreds of European and U.S. energy companies have been infected by a sophisticated cyber weapon operated by a state-backed group with apparent ties to Russia, according to a leading U.S. online security group.

The powerful piece of malware known as “Energetic Bear” allows its operators to monitor energy consumption in real time, or to cripple physical systems such as wind turbines, gas pipelines and power plants at will.

The well-resourced organisation behind the cyber attack is believed to have compromised the computer systems of more than 1,000 organisations in 84 countries in a campaign spanning 18 months. The malware is similar to the Stuxnet computer programme created by the US and Israel that succeeded in infecting and sabotaging Iran’s uranium enrichment facilities two years ago.

The latest attacks are a new deployment of malware that was first monitored by IT security companies at the beginning of the year.

Early infections by Energetic Bear appeared to be based solely around espionage.

Symantec, a U.S. cyber security company, said on Monday, however, that it had identified a virulent new “attack vector” designed to give the malware control over physical systems themselves.

Symantec said the group behind Energetic Bear, who they have dubbed Dragonfly, succeeded last year in infecting three leading specialist manufacturers of industrial control systems. Dragonfly then inserted the malware covertly into the legitimate software updates those companies sent to clients.

As clients downloaded the updates, their industrial control systems become infected. Contaminated software from one of the companies was downloaded to more than 250 industrial systems.

The malware is said to have indiscriminately infected hundreds of organisations, but by filtering infections to see where it is in regular contact with its command and control servers, Symantec said it had a clear picture of where Dragonfly’s interests lie.

According to Symantec, which produces the Norton range of antivirus software, Energetic Bear is most actively in use in Spain and the US, followed by France, Italy and Germany.

Symantec said it believed that Dragonfly was “based in eastern Europe and has all the markings of being state-sponsored”.

Stuart Poole-Robb, a former MI6 and military intelligence officer and founder of KCS Group, a security consultancy, said: “To target a whole sector like this at the level they are doing just for strategic data and control speaks of some form of government sanction.

“These are people working with Fapsi [Russia’s electronic spying agency]; working to support mother Russia.”

Timestamps and Cyrillic text and names within the code for Energetic Bear indicate the malware’s origins are in Russia, although attributing cyber attacks is far from an exact science.

For example, Chinese hackers, who have also been involved in energy-related espionage in the past, have been known to route their attacks through Russia to provide cover for their activities.

—By The Financial Times’ Sam Jones