Connect with us

Hi, what are you looking for?



Hackers Target Control Systems in U.S. Energy Firms: Symantec

A group of cyberspies believed to be operating out of Russia has been observed targeting energy facilities in the United States and other countries, and the attackers appear to be increasingly interested in gaining access to the control systems housed by these organizations.

A group of cyberspies believed to be operating out of Russia has been observed targeting energy facilities in the United States and other countries, and the attackers appear to be increasingly interested in gaining access to the control systems housed by these organizations.

The group, known as Dragonfly, Crouching Yeti and Energetic Bear, has been active since at least 2010, but its activities were first detailed by security firms in 2014. Many of the threat actor’s attacks have focused on the energy sector in the United States and Europe.

Symantec says it has been monitoring a new campaign, which it has dubbed “Dragonfly 2.0,” since late 2015. The company has spotted victims of this operation in the United States, Switzerland and Turkey.

Symantec first warned about Dragonfly’s potential power grid sabotage capabilities in 2014. However, there has been no evidence that any of the group’s attacks resulted in power disruptions. The company now claims to have found evidence that may suggest the attackers have actually gained access to computers linked to operational systems.

The FBI and the DHS recently issued a joint report to warn manufacturing plants, nuclear power stations and other energy facilities in the U.S. of attacks that may have been launched by Dragonfly. However, the U.S. Department of Energy said only administrative and business networks were impacted, not systems controlling the energy infrastructure.

Symantec pointed out that Dragonfly’s initial campaigns appeared to focus on breaching the targeted organizations’ networks. However, in more recent attacks, the hackers seemed interested in learning how energy facilities operate and gaining access to operational systems. Experts warned that access to operational systems could be used in the future for more disruptive purposes, including to cause power outages.

However, the most “concerning evidence” presented by the security firm involves screen captures taken by the group’s malware. Some screen capture files analyzed by researchers had names containing the location and a description of the infected machine and the targeted organization’s name. Some of the machine descriptions included the string “cntrl,” which may mean that the compromised machine had access to control systems.

Experts previously linked Dragonfly to Russia. Symantec has not made any clear statements regarding the threat actor’s location, but it did say that some of the malware code was in Russian. However, researchers also reported finding strings written in French, which suggests that the attackers may be trying to throw investigators off track.

Advertisement. Scroll to continue reading.

Symantec has linked the Dragonfly 2.0 attacks to earlier Dragonfly campaigns based on the use of watering holes, phishing emails, trojanized applications, and the same malware families, including the Heriplor backdoor that appears to be exclusively used by this group.

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Gain valuable insights from industry professionals who will help guide you through the intricacies of industrial cybersecurity.


Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


WASHINGTON - Cyberattacks are the most serious threat facing the United States, even more so than terrorism, according to American defense experts. Almost half...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


Russian espionage group Nomadic Octopus infiltrated a Tajikistani telecoms provider to spy on 18 entities, including government officials and public service infrastructures.


Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Malware & Threats

The NSA and FBI warn that a Chinese state-sponsored APT called BlackTech is hacking into network edge devices and using firmware implants to silently...