Dragonfly: How Britain’s Energy Sector Was Hacked
By Zach Boren – Unearthed: Last June, on the day the British public went to the polls in the 2017 general election, the country’s energy system was hit by a major cyber attack.
According to a leaked memo from spy agency GCHQ, companies across the sector were compromised by hackers.
The memo – and press reports at the time – did not name the “state-sponsored hostile threat actors” believed to be responsible. But western experts allege that the attack was likely carried out by Dragonfly, a team of hackers the US claims is based in Russia.
One of the problems with cyber security is that the evidence – of who carried out the crime and who they work for – rarely comes to light. Much of the information instead comes from highly politicised security services or firms that benefit from increased spending on cyber security.
As the UK embarks on an energy transformation – from new nuclear power plants to renewable energy and home batteries – some, or all, of these networks may be vulnerable to attacks motivated by money, politics or straight-forward blackmail, such as the recent WannaCry episode that paralysed hospitals across the country.
Dragonfly
Symantec, the world-leading cybersecurity firm that discovered Dragonfly and now monitors it, told Unearthed that the group was responsible for the election day hack, and for many other incidents like it in the UK.
This claim is supported by a recent investigation by Cylance, another cybersecurity firm, which details how Dragonfly phished its way into energy company systems using a phony word document CV for a guy called ‘Jacob Morrison’.
SafeSubcribe/Instant Unsubscribe - One Email, Every Sunday Morning - So You Miss Nothing - That's It
Dragonfly may be not named in any public literature produced by the UK’s National Cyber Security Centre (NCSC), but the US Department of Homeland Security puts the group right at the top of its report on the surge of cyber activity around critical infrastructure, to which the NCSC regularly refers.
So what are the hackers doing in the UK’s energy system? At this point, experts believe, they are simply spying, learning how every aspect of the system works — from the National Grid and the power stations it manages to manufacturers of energy infrastructure equipment and even energy-focused commodity traders.
But concern is focused on what this extensive and sophisticated reconnaissance mission might be in preparation for: what if hackers – working solo or with links to organised crime or security services – had the ability to cut the power for millions of homes?
What happened in Ukraine
The go-to example of this kind of cybersabotage took place in Ukraine in late 2015, during a period of extreme political tension, when a group of hackers – not Dragonfly – turned off the lights for vast swathes of the country’s west for up to six hours, with knock-on effects still felt months later.
For a spell in the middle of one of Ukraine’s famously freezing winters, 230,000 homes were left without electricity. Hackers seized the grid operator’s control systems and quickly took out 30 substations and disabled the backup power supplies for officials tasked with tackling the crisis.
Vikram Thakur, technical director at Symantec, told Unearthed: “In Ukraine the attackers knew exactly which buttons to press and what changes to make in order to turn off the lights.
“Our systems are not as fragile as some as of those in eastern European countries. We have a lot of different operators but also a lot of different checks, redundancies and levers to prevent any wide scale impact.”
Ex-US air force cyberwarfare officer Sam Lee told tech mag Wired that even an attack of this magnitude could have been more damaging, as it appeared the hackers had brought forward the operation in response to an clash in Crimea involving a bunch of pro-Ukrainian activists: “Looking at the data, it looks like they would have benefited and been able to do more had they been planning and gathering intelligence longer.”
Learning
Hackers may have learned from the Ukraine incident, just as security experts claim they are learning from their ventures into the UK’s critical infrastructure.
Dr Beyza Unal, a Chatham House expert on cybersecurity of the energy sector, told Unearthed, at this point, “it’s not so much about the damage as it is about learning how far they can go in a company’s systems to get the pattern of that system”.
This allows hackers to effectively plot a path through the company’s defences: “When you attack an organisation’s industrial controls or supervisory control and data acquisition systems [SCADA] you can actually create a pattern of your attack — where it hits the firewall, where it passes through and so on.”
She warned companies targeted by hacking groups that attacks are only going to get harder to handle: “If an attack happened and it was a very demanding attack that your organisation struggled to manage or couldn’t manage, you’re going to face another attack that is probably going to be worse than the one you faced before.”
“Attackers could already be in the system. You should always assume as an organisation that you have been compromised or will be compromised.
“There is no such thing as ‘yeah we’re taking all the measures and we won’t be compromised’ — that is not reality. You need to realise as an organisation you will be compromised eventually so how can you actually (a) detect that compromise in a timely manner and (b) prevent that action from flourishing to other areas.”
How they hack
So how do groups these groups execute attacks?
First they identify targets. “Ireland, the UK, the United States, Turkey, Canada — all of these countries have been on the receiving end of Dragonfly attacks,” according to Thakur.
Within these countries, Dr Unal said, special attention should be paid to “the places where real-time information passes,” like the National Grid (which declined to comment).
“If you hijack something that relies on real time information, then you are either giving false information to the system or you are manipulating the information that goes through.
“GPS, for example. There have been cases where GPS malfunctions of 12 seconds – something miniscule like that – had huge costs, particularly on the maritime sector.”
Once the targets have been identified, it becomes a matter of breaking and entering. Hacking groups often deploy a range of deceptions simultaneously.
There’s phishing, which many people will be familiar with: those dodgy emails from people you don’t know with a mystery link to click on or attachment to download that will open the floodgates for malware.
Then there’s spearphishing, which is basically the same thing as phishing but smarter, with hackers making those dodgy emails look like they come from a trusted source: a friend, coworker or legit company like Google or Paypal. The target is more likely to open the email and more likely to click on the link. This, for instance, is how Hillary Clinton’s campaign manager John Podesta had his emails hacked in 2016.
Hacking groups have also recently become known for using a technique called the ‘watering hole.’ Like predators waiting for thirsty animals at a pool or pond, the hackers wait for their target to come to them. They choose a website they know the target will visit and there they plant a bug.
Thakur explained: “There are websites out there which have a focus on news for manufacturers of electrical equipment, for example. So if I can hack my way into that website and plant my bug over there, every single person who visits that website will then be subjected to that bug.”
But it was, apparently, regular old phishing that got Dragonfly into the UK’s energy system on election day, specifically a phony word document résumé for a guy called Jacob Morrison, which downloaded malware that harvests log-in details, according to Cylance’s investigation.
Why they hack
Once they’re in, hackers try to find their way onto the computers which handle the company’s control systems — except those are rarely connected to the internet.
There is, however, usually at least one computer on the operations side of the house which is hooked up to one computer on the corporate side of the house, which is where executives can email, surf the net and – of course – be compromised by hackers.
Thakur said: “For the hackers to really impact some change – turn off or turn on some buttons – they first need to gain access to the corporate side and then find their way get on the computers that will allow them to jump over to the operational technology [OT] side of the house.
“It’s a pretty long process for them and once they’re on the OT side of the house there are thousands and thousands of pieces of equipment which they need to know how they work. In that environment, by pushing one button I could close a valve but the company may then have a failsafe mechanism. The hackers need to learn that so that they know what valves to close and which buttons to press to actually affect change.”
Successfully making it to the operations side of the house can take a long time – months or even years – but Dragonfly hackers have done this, at least according to Thakur.
“Once they were on the OT computers all they did was take screenshots,” he said.
Because if and when they are spotted by IT administrators, they will be promptly kicked out of the system. So they would take pictures for posterity and “study this layout of the company’s equipment so one day they could come back and be more prepared and [know] what actions to take.”
Defence
Over the last year the NCSC has taken a more active role in pushing companies across the country’s critical infrastructure to take steps to curb the danger of cyberattacks.
A series of high-profile scares such as the WannaCry ransomware incident last summer that paralysed computers used at hospitals (among others) and the introduction of new cybersecurity laws have reportedly driven key industries to better protect themselves.
But as Thakur and Unal both pointed out, you can minimise the risk but you cannot remove it outright.
From an environmental perspective, the obvious cybersecurity question is whether the UK’s current grid-led collection of big power projects is more vulnerable to this kind of attack than a more decentralised energy system composed of smaller generators, like windfarms.
In theory, that could be one solution to the cybersecurity problem.
After all, hackers might find it more difficult to turn off lights across the country if they had to break, enter, and spy on hundreds of energy targets rather than a select few (albeit a select few that are probably better resourced to handle cyber threats).
This theory is “probably a bit of an oversimplification,” according to Dr Robert Gross, energy policy professor at Imperial College London.
Applying his knowledge of blackouts and system malfunctions, Dr Gross gave thought to the prospect of a hostile cyber operation: “Historically and internationally we have seen what are called ‘common mode faults’ lead to a number of similar power stations being taken offline at the same time. This can lead to power shortages.
“Perhaps a cyber-attack could target several large power stations at once. If there were a large number of extremely heterogeneous decentralised stations then perhaps there is less risk of them all being hit by the same attack. However there is still a need to centrally coordinate system operation – and this could be targeted too – so it is by no means obvious that decentralised generation is inherently more secure than centralised.”
“A small number of bigger targets would appear to offer the hackers a better chance of success, but a whole range of other factors mean that this is probably a bit of an oversimplification.”
Dr Philip Grunewald, an energy researcher at Oxford’s environmental change institute, pointed out that decentralised systems can also have their own security risks: “There clearly are some serious vulnerabilities in seemingly benign distributed assets. Individually we may think that not much harm comes from a hacker knowing when our TV is on or when we run the washing machine.
“However, if too many people are content with ‘password’ as their password, the aggregated load of such devices being toggled on or off at the wrong time simultaneously could destabilise the system very quickly.
10% of households having their washing machine start at a system critical moment could be enough to cause serious problems.”
It likely depends how it is implemented. With so little detail on cyber attacks in the public domain it is hard for energy experts to plan.
What next
After a surge of activity over a couple of years, Dragonfly has effectively gone into hibernation since Symantec and US intelligence agencies started sounding the alarm last summer — but some in the cyber-security sector are warning of it’s return.
“We think that considering the amount of press and information that has been outed about Dragonfly they are currently retooling and will be back soon enough to continue their campaigns, possibly with new methods,” Thakur said.
Meanwhile, Dr Unal is concerned that cyber attacks from any source could end up leading to a serious international incident.
“What we should be worried about is what’s going to happen next — in the near future or when countries get into high geopolitical tensions. That is going to be something much bigger. It’s building up.”
It also gives the phrase ‘off-grid’ a whole new meaning.