Over 1,000 European and US energy firms hit by Russian 'Energetic Bear' virus that let hackers take control of power plants



Attack 'bears the hallmarks of a state-sponsored operation'

Timestamps show hackers based in Eastern Europe

Malware has now been identified and can be removed



Over 1,000 energy firms were infected with a sophisticated cyber weapon that gave hackers access to power plant control systems, it has been revealed.

Called 'Energetic Bear', the malware was unmasked by security firm Symantec.

It said the software allows operators to monitor energy consumption in real time - and to cripple physical systems such as wind turbines, gas pipelines and power plants at the click of a mouse.

The virus infected power plant control systems, allowing operators to monitor energy consumption in real time - and to cripple physical systems such as wind turbines, gas pipelines and power plants at the click of a mouse.

HOW IT WORKS The most ambitious attack campaign saw it compromise a number of industrial control system (ICS) equipment providers, infecting their software with a remote access-type Trojan.

This caused companies to install the malware when downloading software updates for computers running ICS equipment.

These infections not only gave the attackers a beachhead in the targeted organizations’ networks, but also gave them the means to mount sabotage operations against infected ICS computers. Dragonfly uses two main pieces of malware in its attacks.

Both are remote access tool (RAT) type malware which provide the attackers with access and control of compromised computers.

The attackers, known to Symantec as Dragonfly, managed to compromise a number of strategically important organizations for spying purposes and, if they had used the sabotage capabilities open to them, could have caused damage or disruption to energy supplies in affected countries.

The attack is believed to have compromised the computer systems of more than 1,000 organisations in 84 countries in a campaign spanning 18 months.

'Among the targets of Dragonfly were energy grid operators, major electricity generation firms, petroleum pipeline operators, and energy industry industrial equipment providers,' Symantec said.



'The majority of the victims were located in the United States, Spain, France, Italy, Germany, Turkey, and Poland.'



The most ambitious attack campaign saw it compromise a number of industrial control system (ICS) equipment providers, infecting their software with a remote access-type Trojan.



This caused companies to install the malware when downloading software updates for computers running ICS equipment.



These infections not only gave the attackers a beachhead in the targeted organizations’ networks, but also gave them the means to mount sabotage operations against infected ICS computers.

Where the energetic Bear bit: Symantec said the US and Spain were worst hit.

The Dragonfly group, which is also known by other vendors as Energetic Bear, appears to have been in operation since at least 2011 and may have been active even longer than that, Symantec said.



'Dragonfly initially targeted defense and aviation companies in the US and Canada before shifting its focus mainly to US and European energy firms in early 2013.'

'Dragonfly bears the hallmarks of a state-sponsored operation, displaying a high degree of technical capability.

'Analysis of the compilation timestamps on the malware used by the attackers indicate that the group mostly worked between Monday and Friday, with activity mainly concentrated in a nine-hour period that corresponded to a 9am to 6pm working day in the UTC +4 time zone.



'Based on this information, it is likely the attackers are based in Eastern Europe.'

Stuart Poole-Robb, a former MI6 and military intelligence officer and founder of KCS Group, a security consultancy, told the FT: 'To target a whole sector like this at the level they are doing just for strategic data and control speaks of some form of government sanction.

