clock menu more-arrow no yes

Filed under:

Someone has been hacking into US power stations

New, 5 comments

An unknown nation state targeted more than 20 utilities since 2015

If you buy something from a Verge link, Vox Media may earn a commission. See our ethics statement.

Illustration by Alex Castro / The Verge

A new Symantec report details a sustained and sophisticated campaign to hack into more than 20 power stations in the United States and elsewhere. Dubbed “Dragonfly,” the campaign has been active in some form since 2011, but Symantec identifies a surge in activity beginning in late 2015 and continuing through the present. Dozens of utilities were targeted in the spring and summer of this year, including many in the US.

First reported by Wired, the latest round of attacks is more invasive, taking control of many of the systems rather than simply exploring them. “The group now potentially has the ability to sabotage or gain control of these systems should it decide to do so,” Symantec researchers wrote in the report.

The group’s ultimate goal is still unclear, but there’s reason to think they had extensive access to the targeted organizations. Symantec found screen captures from targeted computers cataloged by organization and device name, often including the phrase “cntrl,” which may indicate the group had successfully taken control of the device.

Symantec stops short of definitively attributing the attack, but the persistence and restraint involved in the years-long campaign suggests a nation state attacker with a political motive. There are significant similarities to earlier Russia-linked campaigns against power plants in Ukraine, although no definitive link has been established between the two campaigns.

Despite the group’s apparent sophistication, their attacks did not exploit any undisclosed vulnerabilities, often referred to as “zero-days.” Instead, the attacks relied on known vulnerabilities and proven email phishing techniques — including a malicious invite to a New Year’s Eve party. That makes it harder to definitively attribute the attack, since zero-day exploits are often unique to a given attacker.

“This could be an attempt to deliberately thwart attribution,” Symantec researchers wrote in a post, “or it could indicate a lack of resources.”