From Russia, With Hacks

Symantec has uncovered one of the largest hacking operations in history

By
Head Image
© 2017 Flickr - woodleywonderworks

Russia in recent months have been ruffling the world’s feathers with a series of actions in Ukraine and Syria. However, new evidence has emerged that they may also be conducting operations across cyberspace.

Cyber security and antivirus firm Symantec has uncovered one of the largest hacking operations ever seen, which they believe emanates from within Russia. A hacker group calling itself ‘Dragonfly’ or ‘Energetic Bear’ was found to be actively infiltrating a large number of networks across continental Europe and America. Specifically, they focused on the US and Spain, with more than half of all infections found there.

Dragonfly infections by country. Image © 2014 Symantec

Unlike attacks from run-of-the-mill criminals, which usually focus on financial institutions or data centers, these infiltrations were focused on so-called ‘critical infrastructure’. Among the places hit were electricity generation firms, power grid operators, fuel and gas pipelines and other important utilities providers.

What is concerning, is that these targets are not useful for simple espionage work, but rather for sabotage operations.

In addition to this unusual target list, the ‘Dragonfly’ group were found to be operating within a strict set of office working hours. These corresponded to the business hours of a time zone which stretches across parts of Eastern Europe and Russia. The attacks themselves were found to be ongoing since at least 2011. This sort of target list, combined with regular working hours lead Symantec to suggest that these people were working as part of a large organisation such as a government.

What is concerning to the nations hacked, is that these targets are not useful for simple espionage work, but rather for sabotage operations. In a similar way to the infamous Stuxnet virus which the US used to target the Iranian nuclear program, the malware used by the ‘Dragonfly’ team could be used to remotely shut down this critical infrastructure.

In order to attack such a wide variety of targets the group utilized a large number of common hacking strategies. Among these were the use of so-called ‘phishing’ emails sent to personnel within targeted companies and the use of ‘watering-hole’ booby trapped websites, which lure users to enter, and then subsequently infect the users computer.  In addition, they made use of a customized Trojan Horse virus which inserted malicious code into infected systems.

The revelations come as cyberspace is becoming more and more of a key battleground between nations. Even during periods of peace, it makes strategic sense for government-sponsored cyber-soldiers to infect and compromise as large a number of systems as possible, so sabotage and disruption capabilities can be at hand, should sustained hostilities arise.