Editor’s Note: The following report is excerpted from Joseph Farah’s G2 Bulletin, the premium online newsletter published by the founder of WND. Subscriptions are $99 a year or, for monthly trials, just $9.95 per month for credit card users, and provide instant access for the complete reports.
Unearthed by the cyber security firm Symantec, Dragonfly has been in operation since at least 2011. Its malware software allows its operators to not only monitor in real time, but also disrupt and even sabotage wind turbines, gas pipelines and power plants – all with the click of a computer mouse.
The attacks have disrupted industrial control system equipment providers by installing the malware during downloaded updates for computers running the ICS equipment.
According to Symantec, more than a thousand organizations in 84 countries were affected over an 18-month period.
Most of the targets were in the United States, Spain, France, Italy, Germany Turkey and Poland – all countries belonging to the North Atlantic Treaty Organization.
This has led some analysts to suggest the attacks were orchestrated by Russia, which seeks to build buffers between the Russian Federation and the NATO countries.
Given the time of day of the computer attacks – during work hours – and the targeting of strategic data, analysts believe the attacks were sanctioned by a government.
The attacks apparently are ongoing, as companies in the energy sector continue to sustain damage and disruptions to energy supplies in the most affected countries.
The Dragonfly group is said to have at its disposal a range of malware tools to disrupt computer systems, especially industrial control systems. Sources believe it operates similar to the Stuxnet malware that the United States and Israel had used against Iran’s nuclear program to disrupt the operation of its centrifuges that enrich uranium.
According to Symantec, Dragonfly used two main malware tools – Backdoor Oldrea and Trojan Karagany. The former appears to be customized malware written for the attackers.
Eric Chien of Symantec’s Security Technology and Response Team told Bloomberg in an interview the type of access Dragonfly has indicates something more than snooping.
“When they do have that type of access, that motivation wouldn’t be for espionage,” Chien said. “When we look at where they’re at, we’re very concerned about sabotage.”
“The worst-case scenario would be that the systems get shut down,” Chien said. “You could see the power go out, for example, and there could be disruption in that sense.”
Along these lines, the Federal Bureau of Investigation has uncovered “Ugly Gorilla,” a Chinese hacker who has been targeting utility companies’ systems to cut off heat and damage pipelines. The hacker is said to be working for the Chinese People’s Liberation Army. The hacker was indicted by a U.S. grand jury in May for economic espionage.
As for the Dragonfly hackers, they remained one step ahead of those seeking software packages that would fix their problem. They compromised a number of legitimate software packages that ICS equipment providers would seek to remedy the problem. The malware was inserted into these software remedies they had on their websites, making any downloads compromised before they could be used and, once implemented, compounded the cyber problems of industrial control systems.
Now that it has uncovered these software tools meant to attack industrial control systems, Synmantec has developed antivirus detection software for Backdoor Oldrea and Trojan Karagany.
F. Michael Maloof, senior staff writer for WND/ G2Bulletin, is a former security policy analyst in the Office of the Secretary of Defense. He can be contacted at email@example.com.
A sophisticated cyber weapon has infected industrial control systems of hundreds of European and U.S. energy companies over the last 18 months, Sam Jones of The Financial Times reports.
Researchers first reported on the espionage operation, linked to the Russian government, in January.
Symantec, a U.S. cybersecurity company that uncovered more details, said it believes the group behind the attacks is “based in eastern Europe and has all the markings of being state-sponsored.”
Jones writes that the cyber weapon, dubbed “Energetic Bear,” allows its operators “to monitor energy consumption in real time, or to cripple physical systems such as wind turbines, gas pipelines and power plants at will.”
Symantec reported that the attackers first infected three leading specialist manufacturers of industrial control systems, then inserted the malware covertly into legitimate software updates that companies sent to clients.
The Specter Of Stuxnet
The malware is similar to Stuxnet, a virus created by the U.S. and Israel that infected Iran’s Natanz nuclear facility in 2007 and reportedly destroyed roughly a fifth of Iran’s nuclear centrifuges by causing them to spin out of control.
Stuxnet is the most powerful cyber weapon ever created, and cybersecurity expert Ralph Langer contends that the attack “changed global military strategy in the 21st century.” And it seems that Energetic Bear is the new reality of cyberwarfare.
“The sober reality is that at a global scale, pretty much every single industrial or military facility that uses industrial control systems at some scale is dependent on its network of contractors, many of which are very good at narrowly defined engineering tasks, but lousy at cybersecurity,” Langer wrote in Foreign Policy.
Symantec found that the attack has compromised the computer systems of more than 1,000 organizations in 84 countries. The main targets, which appear to be based on espionage, were in Spain and the U.S., followed by France, Italy, and Germany.
“To target a whole sector like this at the level they are doing just for strategic data and control speaks of some form of government sanction,” Stuart Poole-Robb, a former MI6 and military intelligence officer and founder of security consultancy KCS Group, told FT. “These are people working with Fapsi [Russia’s electronic spying agency], working to support mother Russia.”
WASHINGTON — Stepping into a heated debate within the nation’s intelligence agencies, President Obama has decided that when the National Security Agency discovers major flaws in Internet security, it should — in most circumstances — reveal them to assure that they will be fixed, rather than keep mum so that the flaws can be used in espionage or cyberattacks, senior administration officials said Saturday.
But Mr. Obama carved a broad exception for “a clear national security or law enforcement need,” the officials said, a loophole that is likely to allow the N.S.A. to continue to exploit security flaws both to crack encryption on the Internet and to design cyberweapons.
The White House has never publicly detailed Mr. Obama’s decision, which he made in January as he began a three-month review of recommendations by a presidential advisory committee on what to do in response to recent disclosures about the National Security Agency.
But elements of the decision became evident on Friday, when the White House denied that it had any prior knowledge of the Heartbleed bug, a newly known hole in Internet security that sent Americans scrambling last week to change their online passwords. The White House statement said that when such flaws are discovered, there is now a “bias” in the government to share that knowledge with computer and software manufacturers so a remedy can be created and distributed to industry and consumers.
Caitlin Hayden, the spokeswoman for the National Security Council, said the review of the recommendations was now complete, and it had resulted in a “reinvigorated” process to weigh the value of disclosure when a security flaw is discovered, against the value of keeping the discovery secret for later use by the intelligence community.
“This process is biased toward responsibly disclosing such vulnerabilities,” she said.
Until now, the White House has declined to say what action Mr. Obama had taken on this recommendation of the president’s advisory committee, whose report is better known for its determination that the government get out of the business of collecting bulk telephone data about the calls made by every American. Mr. Obama announced last month that he would end the bulk collection, and leave the data in the hands of telecommunications companies, with a procedure for the government to obtain it with court orders when needed.
But while the surveillance recommendations were noteworthy, inside the intelligence agencies other recommendations, concerning encryption and cyber operations, set off a roaring debate with echoes of the Cold War battles that dominated Washington a half-century ago.
One recommendation urged the N.S.A. to get out of the business of weakening commercial encryption systems or trying to build in “back doors” that would make it far easier for the agency to crack the communications of America’s adversaries. Tempting as it was to create easy ways to break codes — the reason the N.S.A. was established by Harry S. Truman 62 years ago — the committee concluded that the practice would undercut trust in American software and hardware products. In recent months, Silicon Valley companies have urged the United States to abandon such practices, while Germany and Brazil, among other nations, have said they were considering shunning American-made equipment and software. Their motives were hardly pure: Foreign companies see the N.S.A. disclosures as a way to bar American competitors.
Another recommendation urged the government to make only the most limited, temporary use of what hackers call “zero days,” the coding flaws in software like Microsoft Windows that can give an attacker access to a computer — and to any business, government agency or network connected to it. The flaws get their name from the fact that, when identified, the computer user has “zero days” to fix them before hackers can exploit the accidental vulnerability.
The N.S.A. made use of four “zero day” vulnerabilities in its attack on Iran’s nuclear enrichment sites. That operation, code-named “Olympic Games,” managed to damage roughly 1,000 Iranian centrifuges, and by some accounts helped drive the country to the negotiating table.
Not surprisingly, officials at the N.S.A. and at its military partner, the United States Cyber Command, warned that giving up the capability to exploit undisclosed vulnerabilities would amount to “unilateral disarmament” — a phrase taken from the battles over whether and how far to cut America’s nuclear arsenal.
“We don’t eliminate nuclear weapons until the Russians do,” one senior intelligence official said recently. “You are not going to see the Chinese give up on ‘zero days’ just because we do.” Even a senior White House official who was sympathetic to broad reforms after the N.S.A. disclosures said last month, “I can’t imagine the president — any president — entirely giving up a technology that might enable him some day to take a covert action that could avoid a shooting war.”
At the center of that technology are the kinds of hidden gaps in the Internet — almost always created by mistake or oversight — that Heartbleed created. There is no evidence that the N.S.A. had any role in creating Heartbleed, or even that it made use of it. When the White House denied prior knowledge of Heartbleed on Friday afternoon, it appeared to be the first time that the N.S.A. had ever said whether a particular flaw in the Internet was — or was not — in the secret library it keeps at Fort Meade, Md., the headquarters of the agency and Cyber Command.
But documents released by Edward J. Snowden, the former N.S.A. contractor, make it clear that two years before Heartbleed became known, the N.S.A. was looking at ways to accomplish exactly what the flaw did by accident. A program code-named Bullrun, apparently named for the site of two Civil War battles just outside Washington, was part of a decade-long effort to crack or circumvent encryption on the web. The documents do not make clear how well it succeeded, but it may well have been more effective than exploiting Heartbleed would be at enabling access to secret data.
The government has become one of the biggest developers and purchasers of information identifying “zero days,” officials acknowledge. Those flaws are big business — Microsoft pays up to $150,000 to those who find them and bring them to the company to fix — and other countries are gathering them so avidly that something of a modern-day arms race has broken out. Chief among the nations seeking them are China and Russia, though Iran and North Korea are in the market as well.
“Cyber as an offensive weapon will become bigger and bigger,” said Michael DeCesare, who runs the McAfee computer security operations of Intel Corporation. “I don’t think any amount of policy alone will stop them” from doing what they are doing, he said of the Russians, the Chinese and others. “That’s why effective command and control strategies are absolutely imperative on our side.”
The presidential advisory committee did not urge the N.S.A. to get out of the business entirely. But it said that the president should make sure the N.S.A. does not “engineer vulnerabilities” into commercial encryption systems. And it said that if the United States finds a “zero day,” it should patch it, not exploit it, with one exception: Senior officials could “briefly authorize using a zero day for high priority intelligence protection.”