Symantec Warns Of Hackers Gaining 'Operational Access' To North American Power Grids

Symantec on Wednesday warned that a three-year hacking campaign that has targeted power plants in the U.S. and Europe appears to have intensified this year.

The security company said in a blog post that a hacking group called Dragonfly seems to be behind a recent series of attacks, which have both compromised energy companies and, in some case, led to hackers gaining operational access to power grids in the U.S.

"The Dragonfly group appears to be interested in both learning how energy facilities operate and also gaining access to operational systems themselves, to the extent that the group now potentially has the ability to sabotage or gain control of these systems should it decide to do so," Symantec said in a blog post.

[Related: Security Firms: CrashOverride Malware Marks Newest Security Threat For Industrial Control Systems]

According to the security firm, the hackers are using a variety of methods to gain access to energy plant networks – including sending malicious emails to plant employees and operators, as well as sending files disguised as Flash updates that are used to install malicious back doors onto target networks.The campaign has been targeting energy grid operators, oil pipeline operators and industrial equipment providers.

For instance, one malicious email campaign sent emails to employees of an unidentified energy sector company disguised as an invitation to a New Year's Eve party. Once opened, a document attached to these emails would attempt to leak victims' network credentials to a server outside of the organization.

Hackers have also used "watering hole" attacks to target the power grid, through compromising websites that are likely to be visited by employees in the energy sector.

Symantec and some other security groups first exposed Dragonfly's campaign in 2014, and it has since died down – but in 2017 there has been "a distinct increase in activity," said the company.

Cybersecurity concerns have increased in the industrial control segment, particularly since December 2016 when a cyberattack briefly shut down power in parts of Kiev, Ukraine, affecting hundreds of thousands of people. In June, security firms Dragos and ESET revealed a new malware framework, CrashOverride, which they alleged was behind the Ukraine attack and is capable of taking down grids for a few days.

Marc Harrison, president of Silicon East, a Marlboro, N.J.-based solution provider, said that organizations in the power sector need to heed to several security practices – including limiting access to trusted devices, implementing two or three factor authentication on devices, monitoring all industrial control systems for suspicious behavior, and removing all external access to critical systems.

"Power plants are no different than any other business when it comes to cyber-security – it’s just that the consequences are potentially so much more serious," said Harrison. "All of the same security best practices apply and need to be implemented and continuously managed."