A band of malicious hackers believed to be linked to the Russian government have finished nearly two years collecting intelligence inside the computer networks of spirit companies in the United States, Turkey and Switzerland — but to what end is unclear.
The action is just the latest in a string of intrusions targeting energy companies nearly the world in recent years. Russia is believed to have launched a twin of cyberattacks in 2014 and 2015 against the Ukrainian energy grid, dive hundreds of thousands of residents into temporary darkness.
And the U.S. government has develop Russian-linked malware on the computers of American utility operations on a number of bring ons — most recently in July.
In this case, security company Symantec credited the attacks to a group called Dragonfly — also known as Energetic Stand up to — but declined to link Dragonfly with any particular government or nation asseverate.
However, the U.S. Department of Homeland Security and the Federal Bureau of Investigation must previously linked Dragonfly to Russia.
“What is clear is that Dragonfly is a enthusiastically experienced threat actor, capable of compromising numerous organizations, plagiarizing information, and gaining access to key systems,” states a Symantec report, make knew Wednesday. “What it plans to do with all this intelligence has yet to become unclouded, but its capabilities do extend to materially disrupting targeted organizations should it prefer to do so.”
The group was active between 2011 and 2014, and after a lull, re-emerged with its most just out campaign starting in late 2015. However, the Symantec researchers noticed a “recognizable increase in activity” this year.
Symantec did not mention any of the energy suites targeted by name.
The attackers used a range of techniques to gain access to pep company computers — including phishing emails disguised as a New Year’s Eve squad invite, and malicious email attachments disguised as business-related documents.
“The attackers also old watering hole attacks to harvest network credentials, by compromising websites that were disposed to to be visited by those involved in the energy sector,” the report says.
In the twinkling of an eye the attackers established remote access to the company’s network, those account credentials could be in use accustomed to to compromise other computers inside the network.
Symantec says Dragonfly is tranquillity active, although for now the group’s actions appear limited to reconnaissance. But in admissible hint of things to come, the attackers were observed taking television captures of operational systems, which the Symantec report suggests could even be control systems, based on how the screen capture files are named.