Editor’s Note: The following report is excerpted from Joseph Farah’s G2 Bulletin, the premium online newsletter published by the founder of WND. Subscriptions are $99 a year or, for monthly trials, just $9.95 per month for credit card users, and provide instant access for the complete reports.
WASHINGTON – U.S. and European energy companies have become the target of a “Dragonfly” virus out of Eastern Europe that goes after energy grids, major electricity generation firms, petroleum pipelines operators and energy industrial equipment providers.
Unearthed by the cyber security firm Symantec, Dragonfly has been in operation since at least 2011. Its malware software allows its operators to not only monitor in real time, but also disrupt and even sabotage wind turbines, gas pipelines and power plants – all with the click of a computer mouse.
The attacks have disrupted industrial control system equipment providers by installing the malware during downloaded updates for computers running the ICS equipment.
According to Symantec, more than a thousand organizations in 84 countries were affected over an 18-month period.
Most of the targets were in the United States, Spain, France, Italy, Germany Turkey and Poland – all countries belonging to the North Atlantic Treaty Organization.
This has led some analysts to suggest the attacks were orchestrated by Russia, which seeks to build buffers between the Russian Federation and the NATO countries.
Given the time of day of the computer attacks – during work hours – and the targeting of strategic data, analysts believe the attacks were sanctioned by a government.
The attacks apparently are ongoing, as companies in the energy sector continue to sustain damage and disruptions to energy supplies in the most affected countries.
The Dragonfly group is said to have at its disposal a range of malware tools to disrupt computer systems, especially industrial control systems. Sources believe it operates similar to the Stuxnet malware that the United States and Israel had used against Iran’s nuclear program to disrupt the operation of its centrifuges that enrich uranium.
According to Symantec, Dragonfly used two main malware tools – Backdoor Oldrea and Trojan Karagany. The former appears to be customized malware written for the attackers.
Eric Chien of Symantec’s Security Technology and Response Team told Bloomberg in an interview the type of access Dragonfly has indicates something more than snooping.
“When they do have that type of access, that motivation wouldn’t be for espionage,” Chien said. “When we look at where they’re at, we’re very concerned about sabotage.”
“The worst-case scenario would be that the systems get shut down,” Chien said. “You could see the power go out, for example, and there could be disruption in that sense.”
Along these lines, the Federal Bureau of Investigation has uncovered “Ugly Gorilla,” a Chinese hacker who has been targeting utility companies’ systems to cut off heat and damage pipelines. The hacker is said to be working for the Chinese People’s Liberation Army. The hacker was indicted by a U.S. grand jury in May for economic espionage.
As for the Dragonfly hackers, they remained one step ahead of those seeking software packages that would fix their problem. They compromised a number of legitimate software packages that ICS equipment providers would seek to remedy the problem. The malware was inserted into these software remedies they had on their websites, making any downloads compromised before they could be used and, once implemented, compounded the cyber problems of industrial control systems.
Now that it has uncovered these software tools meant to attack industrial control systems, Synmantec has developed antivirus detection software for Backdoor Oldrea and Trojan Karagany.
F. Michael Maloof, senior staff writer for WND/ G2Bulletin, is a former security policy analyst in the Office of the Secretary of Defense. He can be contacted at [email protected].