Sophisticated hacking campaign has targeted energy sector since 2015


Hackers have been implanting malware in the international energy sector  — including in the United States — in a newly discovered, sophisticated campaign dating back to late 2015, according to a report released Wednesday.

Symantec identified the new campaign, which displayed a rapid uptick in activity in 2017. They have dubbed this series of attacks “Dragonfly 2.0” due to an apparent connection to a group Symantec dubs Dragonfly that is also commonly called Energetic Bear. 


Energetic Bear/Dragonfly is a well-known energy sector hacking group that other security companies believe is connected to the Russian government.

“Policymakers should know the risks were at a whole new level for the group in this round of attacks,” Bill Wright, director of public affairs and senior counsel at Symantec, told The Hill.

“The difference between this wave of Dragonfly attacks and the earlier one was the level of access. Prior to this we saw access to the business networks. What really concerned us about these attacks was access to the control systems, the ones that actually control industrial processes,” he added.

Symantec believes that the new attacks could signify the group “may be entering into a new phase” now intended to expand access to operational systems and are taking screenshots of all systems in use to outline their function.

According to Symantec’s report, the new campaign focuses on U.S., Swiss and Turkish networks with additional traces of activity seen in other countries.

Energy sector employees appear to have inadvertently infected their networks by visiting malware laced websites, through phishing attacks and by being offered fake updates for Adobe’s Flash multimedia player.

The attacks were primarily directed at companies involved in power generation, transmission and distribution said Eric Chien, technical director of Symantec’s security technology and response division. 

Symantec said it reached out to more than 100 different industry groups to get the word out about the new wave of Energetic Bear attacks. 

Energetic Bear, who has been active since at least 2010, also has targeted U.S. and Turkish systems, with activity against Turkey increasing in the new campaign.

Symantec’s report says “there are a number of indicators linking recent activity with earlier Dragonfly campaigns,” but the firm’s write up only includes mentions of links through the use of malware that in the past, has only been seen when used by Energetic Bear.

Though the use of exclusive malware can be a valuable tool in identifying an attacker, it is not generally considered to be a conclusive single piece of evidence.

“We’re confident it is related to the original group,” said Chien. 

“These are tools that no one besides the group have used since we’ve been tracking them. Even if someone involved in the group had given the source code to someone else, these were similar enough you’d circle the two and lump them together.”

The firm notes that malware used in the attacks was coded in both English and French, which it believes signifies an effort to confuse investigators trying to make an attribution.

Chien warned that the Energetic Bear attacks harvested credentials, so fixing the problem requires more than eliminating the malware from the system. Instead, he said, anyone with access to those networks might need to change usernames and passwords. 

This story was last updated at 2:10 p.m.


Most Popular

Load more


See all Video