A group of hackers known as "Energetic Bear" is targeting energy companies in the U.S. and Europe with malware that's capable of disrupting power supplies, Mountain view security company Symantec said.
The hackers, also called "Dragonfly," appear to have the resources, size and organization that suggest government involvement. It's unclear whether a state is directly involved or if the group is trying to sell to a government, said Eric Chien, chief researcher at Symantec's Security Technology and Response Team. The attackers are targeting grid operators, petroleum pipeline operators, electricity generation firms and other "strategically important" energy companies, Symantec said in a blog post Monday.
More than half of the infections found were in the U.S. and Spain, Symantec said. Serbia, Greece, Romania, Poland, Turkey, Germany, Italy and France were also targeted. The hackers appeared to work a standard week, operating 9 a.m. to 6 p.m., Monday through Friday, in a time zone shared by Russia and other eastern European countries, the company said.
"The Dragonfly group is well resourced, with a range of malware tools at its disposal and is capable of launching attacks through a number of different vectors," Symantec said. "These infections not only gave attackers a beachhead in the targeted organizations' networks, but also gave them the means to mount sabotage operations."
"When they do have that type of access, that motivation wouldn't be for espionage," Chien said. "When we look at where they're at, we're very concerned about sabotage."
Symantec started actively monitoring Dragonfly's activities in 2012, when the attacks only looked like espionage, Chien said. Dragonfly's focus switched to energy companies a few months ago. Some of the group's malware infiltrates remote access software used by these energy companies, giving attackers the same privileges as an industrial control system.
Cyber-spies are targeting utility companies all over the world. Dragonfly's tactics are similar to the Stuxnet attacks, a computer virus that was found to target Iranian nuclear facilities in 2010, Symantec said. The FBI discovered a Chinese hacker, called UglyGorilla, seeking access to parts of a U.S. utility company's systems that would let him cut off heat or damage pipelines. He and others working for the Chinese People's Liberation Army were indicted by a U.S. grand jury in May for computer fraud and economic espionage.
"The worst-case scenario would be that the systems get shut down," Chien said. "You could see the power go out, for example, and there could be disruption in that sense."