Since reports first surfaced that hackers targeted more than a dozen American energy utilities, including a Kansas nuclear power plant, the cybersecurity community has dug into the surrounding evidence to determine the culprits. Without knowing the perpetrators, the campaign lends itself to a broad range of possibilities: a profit-seeking cybercriminal scheme, espionage, or the first steps of hacker-induced blackouts like the ones that have twice afflicted Ukraine in the last two years.
Over the past weekend, US officials solved at least part of that mystery, revealing to the Washington Post that the hackers behind the utility attacks worked for the Russian government. But that attribution raises a new question: Which of the Kremlin’s hackers groups attempted the power grid intrusions?
Russia, after all, is perhaps the only nation in the world with multiple known hacker teams that have targeted energy utilities for years. Each has its own techniques, broader focus, and motivation—and deciphering which group is behind the attacks could help determine the intended endgame of this latest infrastructure hacking spree, too.
As the cybersecurity world’s Kremlinologists seek those answers, here’s what we know about the groups that may have pulled it off.
The prime candidate among Russia’s array of hacker teams is a group of cyberspies most widely identified as Energetic Bear, but also known by names including DragonFly, Koala, and Iron Liberty. First spotted by the security firm Crowdstrike in 2014, the group initially seemed to indiscriminately hack hundreds of targets in dozens of countries since as early as 2010, using so-called “watering hole” attacks that infected websites and planted a Trojan called Havex on visitors’ machines. But it soon became clear that the hackers had a more specific focus: They also used phishing emails to target vendors of industrial control software, sneaking Havex into customer downloads. Security firm FireEye found in 2014 that the group breached at least four of those industrial control targets, potentially giving the hackers access to everything from power grid systems to manufacturing plants.
The group seemed at least in part focused on broad surveillance of the oil and gas industry, says Adam Meyers, Crowdstrike’s vice president of intelligence. Energetic Bear’s targets included everything from gas producers to firms that transported liquid gas and oil to energy financing companies. Crowdstrike also found the group’s code contained Russian-language artifacts, and that it operated during Moscow business hours. All of that suggests, Meyers argues, that the Russian government may have used the group to protect its own petrochemical industry and better wield its power as a fuel supplier. “If you threaten to turn off the gas to a country, you want to know how severe that threat is and how to properly leverage it,” Meyers says.
But security firms noted that the group’s targets included electric utilities, too, and some versions of Energetic Bear’s malware had the capacity to scan industrial networks for infrastructure equipment, raising the possibility that it could have not just collected industry intelligence, but performed reconnaissance for future disruptive attacks. “We think they were after control systems, and we don’t think there was a compelling intelligence reason for that,” says John Hultquist, who leads a research team at FireEye. “You’re not doing that to learn the price of gas.”
After security firms including Crowdstrike, Symantec, and others released a series of analyses of Energetic Bear’s infrastructure in the summer of 2014, the group abruptly disappeared.
Only one Russian hacker group has actually caused real-world blackouts: Cybersecurity analysts widely believe the hacker team called Sandworm, also known as Voodoo Bear and Telebots, carried out attacks on Ukrainian electric utilities in 2015 and 2016 that cut off power to hundreds of thousands of people.
Despite that distinction, Sandworm’s larger focus doesn’t appear to be electric utilities or the energy sector. Instead it has spent the last three years terrorizing Ukraine, the country with which Russia has been at war since it invaded the Crimean Peninsula in 2014. Aside from its two blackout attacks, the group has since 2015 rampaged through practically every sector of Ukrainian society, destroying hundreds of computers at media companies, deleting or permanently encrypting terabytes of data held by its government agencies, and paralyzing infrastructure including its railway ticketing system. Cybersecurity researchers including those at FireEye and ESET have also noted that the recent NotPetya ransomware epidemic that crippled thousands of networks in Ukraine and around the world matches Sandworm’s history of infecting victims with “fake” ransomware that offers no real option to decrypt their files.
But amidst all that chaos, Sandworm has shown a special interest in power grids. FireEye has tied the group to a series of intrusions on American energy utilities discovered in 2014, which were infected with the same Black Energy malware Sandworm would later use in its Ukraine attacks. (FireEye also linked Sandworm with Russia based on Russian-language documents found on one of the group’s command-and-control servers, a zero-day vulnerability the group used that had been presented at a Russian hacker conference, and its explicit Ukraine focus.) And security firms ESET and Dragos released an analysis last month of a piece of malware they call “Crash Override” or “Industroyer,” a highly sophisticated, adaptable, and automated grid-disurpting piece of code used in Sandworm’s 2016 blackout attack on one of the transmission stations of Ukraine’s state energy company Ukrenergo.
The hackers behind the fresh series of attempted intrusions of US energy utilities remain far more mysterious than Energetic Bear or Sandworm. The group has hit energy utilities with “watering hole” and phishing attacks since 2015, with targets as far-flung as Ireland and Turkey in addition to the recently reported American firms, according to FireEye. But despite broad similarities to Energetic Bear, cybersecurity analysts have not yet definitively linked the group to either of the other known Russian grid hacking teams.
Sandworm, in particular, seems like an unlikely match. FireEye’s John Hultquist notes that his researchers have tracked both the new group and Sandworm for several overlapping years, but have seen no common techniques or infrastructure in their operations. And according to the Washington Post, US officials believe Palmetto Fusion to be an operation of Russia’s secret services agency known as the FSB. Some researchers believe Sandworm works instead under the auspices of Russia’s military intelligence group known as the GRU, due to its focus on Russia’s military enemy Ukraine and some early targeting of NATO and military organizations.
Palmetto Fusion doesn’t exactly share Energetic Bear’s pawprints, either, despite a New York Times‘ report tentatively linking the two. While both target the energy sector and use phishing and water hole attacks, Crowdstrike’s Meyers says they don’t share any of the same actual tools or techniques, hinting that the Fusion operation may be the work of a distinct group. Cisco’s Talos research group, for instance, found that the new team used a combination of phishing and a trick using Microsoft’s “server message block” protocol to harvest credentials from victims, a technique never seen from Energetic Bear.
But the timing of Energetic Bear’s disappearance after its discovery in late 2014 and Palmetto Fusion’s initial attacks in 2015 remains suspect. And that timeline may provide one sign that the groups are the same, but with new tools and techniques rebuilt to avoid any obvious connection.
After all, a group of attackers as methodical and prolific as Energetic Bear doesn’t simply call it quits after having their cover blown. “These state intelligence agencies don’t give up because of a setback like that,” says Tom Finney, a security researcher with the firm SecureWorks, which has also closely tracked Energetic Bear. “We’ve expected them to reappear at some point. This might be it.”