The report states that hackers in Dragonfly has reemerged after about a four year hiatus and now has the ability to take control over the compromised power grids. Symantec is calling this new wave of attacks Dragonfly 2.0 in their report.
This isn’t the first time that hackers have set their sites on the power grid. In 2015 and 2016, hackers disrupted the Ukraine’s power grid and that attack resulted in hundreds of thousands of people without power. More recently, hackers linked back to the Russian government have developed malware in order to target the US.
Dragonfly 2.0 has used a sophisticated email campaign containing content specific to the energy sector which has tricked power company workers into opening the emails. Once the emails are opened, the malware sends the user’s network credentials back to the hacker’s server. The hackers also used attacks called ‘water hole’ to compromise websites frequented by users in the energy sector. Once a user visited the compromised sites, their network credentials were harvested. In one case, after the user visited a compromised website, a computer virus named Backdoor.Goodor was installed on the user’s computer which allowed the hackers to take control of the system.
According to Symantec, “Sabotage attacks are typically preceded by an intelligence-gathering phase where attackers collect information about target networks and systems and acquire credentials that will be used in later campaigns. The most notable examples of this are Stuxnet and Shamoon, where previously stolen credentials were subsequently used to administer their destructive payloads.”