A group of Russian hackers
known collectively as either "Energetic Bear" or "Dragonfly" is mounting sabotage operations against a number of power and oil companies primarily located in the U.S. and throughout parts of Europe. Among the group's targets are energy grid operators, major electricity generation firms, petroleum pipeline operators, and energy industry equipment providers.
Security outfit Symantec
says the group is well resourced with access to a wide range of malware tools capable of launching attacks in a variety of ways. They've been operating since at least 2011 and perhaps longer. Initial targets included defense and aviation companies in the U.S. and Canada before the hacking group turned its attention to U.S. and European energy firms early in 2013.
"[Dragonfly's] most ambitious attack campaign saw it compromise a number of industrial control system (ICS) equipment providers, infecting their software with a remote access-type Trojan," Symantec stated in a blog post. "This caused companies to install the malware when downloading software updates for computers running ICS equipment. These infections not only gave the attackers a beachhead in the targeted organizations’ networks, but also gave them the means to mount sabotage operations against infected ICS computers."
The hacking group has also used spam email campaigns and watering hole attacks to infect its targets. Its two most commonly used malware tools are Backdoor.Oldrea, which appears to be a custom bit of code written by or for the attackers, and Trojan.Karagany.
Symantec has a few detections in place that will protect customers, but it's also worth nothing that "the Dragonfly group is technically adept and able to think strategically."