The emerging threat of cyber espionage in the energy sector-The case of Dragonfly. Dominica Giantas

 

The 21st century witnessed the development of a new public space, the cyber-space. Its emergence welcomed new forms of transactions and interactions among individuals, governments, states and entities. At the same time, it favored the rise of new cyber threats, such as cyber espionage. Cyber espionage is becoming one of the priorities of many governments’ agenda for cyber security and cyber defense. In recent times, cyber espionage has taken a new urgency for the energy sector of many countries and companies which do business in the energy industry. In the light of these circumstances, it is important to explore some factors which spark off the emergence of this cyber threat in the energy sector.

Firstly, the emergence of the threat which cyber espionage is progressively posing to the energy sector is directly linked to the increasing importance of the energy for the security, growth and prosperity of states and their citizens. In other words, energy sector has become an attractive target for spies. Secondly, the interconnected nature of economic activities and infrastructure in many sectors, such as the energy sector and the digitalization of the industry, including the energy industry is escalating. This fact enables spies to explore new possibilities of attacks, use sophisticated methods based on new technologies and discover a new realm of espionage, the cyber one. Thirdly, the case of Dragon fly demonstrates that cyber espionage is often a state sponsored operational foundation, prerequisite for potential sabotage or destruction of opponents. In other words, cyber espionage on the energy sector is a new weapon for some states.

To begin with, energy today, as never before, has a crucial importance for every country in the world. It constitutes the main “fuel” for social and economic development.[1] Firstly, energy is vital for citizens and residences in their everyday life and activities. For example, heating our homes, lighting, air conditioning, cooking, electrical appliances and water heating are all functions that require energy. Moreover, among the consumers of energy are also profit-seeking and nonprofit enterprises engaged in commercial-scale activity, such as retail stores, office buildings, government buildings, restaurants, hotels, schools, hospitals, and leisure and recreational facilities.[2]Energy consumption by the commercial sector also includes energy consumption for street and other outdoor lighting, and for water and sewage treatment.[3] Therefore, the main enterprises and institutions of a country need energy for their proper and continuous functioning and providing the users with goods or services on a daily basis.

What is more, energy has great importance for the industrial sector of each country. Specifically, energy resources such as gas, petroleum and propane constitute the fundament for the development of many industries, including manufacturing, construction, mining, farming, fishing, and forestry. Furthermore, energy is fundamental for the transportation sector. Specifically, road, rail, sea and air transport depend on energy products.[4] Generally, energy is required to meet the basic human needs and is an input for most productive processes in primary sectors, industry and services. Given the importance of energy resources and infrastructure for the stability, development, well-being and high living standards of each country, it becomes clear that this sector has an increasing appeal to cyber spies.

Espionage, state-sponsored or through other entities, constitutes a serious threat to the energy sector. Cyber spying groups can utilise cyber space to obtain data, sensitive information, intellectual property, secrets, formulas, marketing strategies, plans and future projects, customer information and information on R&D of the main businesses in the energy sector. Through this way, companies and the energy sector of competitors can gain economic and technological advantage. They can progressively become more competitive in the global energy market, use the gathered information for better deals with clients and the provision of better quality services, or even reach new levels on innovation and research. Meanwhile, in today’s world the information has an increasing worth in terms of economic rivalry and technological race and leadership between states.

Another factor which contributes to the emergence of the cyber espionage in the field of energy involves the increasing convergence of the energy sector and the cyber space. The diffusion of telecommunications, the Internet and computer networks has undeniably affected the energy sector. Energy infrastructure is composed of complex industrial environments usually underpinned by ICT systems (Industrial control systems). [5]

Furthermore, specific parts of the energy industry evolve into more cyber-dependent. For example, mining and production centers, logistics or trading platforms, transport infrastructures of primary resources, smart grids, processing units, consumption meters and control systems are exposed to damage originated in the cyberspace.[6] The interconnected nature of energy infrastructure and the digitalization of energy industry has unfolded a new spectrum for espionage. Henceforward, the more technologically driven the energy sector becomes, the more sources of vulnerabilities to cyber espionage may occur. The targets of a possible cyber espionage attack may multiply,and the tradecraft can become more sophisticated, causing bigger concerns for national and global security.

Thirdly, the emergence of cyber espionage in the energy sector is a part of the new possibilities of warfare that states seek. Rose Kariger, chief information security officer for Iberdrola, mentions that “These kinds of threats are increasing as cyber sabotage, or even cyber warfare, is becoming more and more the weapon of choice for state- or terrorist-sponsored groups”. [7]  Cyber espionage is potentially evolving into a considerable practice for states in the terms of their geopolitical antagonism. Given into account the vital role of the energy sector in the state security and prosperity, the exploitation of cyber espionage techniques for the sabotage of the competitors’ or adversaries’ energy sector is possible.

To be more specific, spying groups (state-sponsored) can use cyber methods to cause disruption of energy services and damage to the energy infrastructure, cables, grids, and control systems of other countries. In consequence, cyber espionage puts the stability, economic prosperity, security and well-functioning of a state into real danger. For example, Denial of Service attacks would cause loss of availability and generate delays for critical energy services and related infrastructures, such as the power grids.[8]

Some recent cyber espionage attacks support this view. The best example is the case of Dragonfly. Dragonfly is a cyber espionage group, which started its activity in 2011 with attacks on defense and aviation companies in the USA and Canada. But, in early 2013, the group shifted its target and focused on conducting cyber espionage campaigns against the energy firms and infrastructure of some European countries and the USA.[9] This turnaround may be related with the growing prioritisation of the energy infrastructure and security in states’ agenda. At the same time such attacks coincide with escalating geopolitical tensions between countries.[10] Symantex notes that since 2015 the group has launched a new “Dragonfly 2.0” campaign. [11] Dragonfly uses cyber espionage methods to both intelligence gathering and sabotage systems.[12]Andrea Little Limbago suggests that the campaign reflects an escalation from general intelligence gathering towards a deeper and specified access to the energy sector and reconnaissance on control systems, which are necessary for potential sabotage.[13]

By posing infection vectors, including malicious emails, watering hole attacks and Trojanized software, the group has gained access to the energy sector and industrial control systems (ICS), particularly those based in Europe and in the USA. [14] Among the targets of Dragonfly were also energy grid operators, major electricity generation firms, petroleum pipeline operators, and equipment manufacturers. Moreover, Symatex states that other victims were located in Spain, France, Italy, Germany, Turkey, and Poland.[15] This access could be used for disruptive purposes in future.

Dragonfly displays a high degree of technical capabilities, uses sophisticated tools and is well resourced.[16] This is a sign which indicates that Dragonfly is a state sponsored cyber espionage group, which promotes certain national interests. Since 2014, there have been remarks regarding the fact that the group is linked to Kremlin. [17] In March 2018, US authorities officially warned of the Russian government cyber activity targeting energy and other critical infrastructure sectors and identified Dragonfly as an actor related to these activities. [18]

For Russia energy is essential part of power politics and a weapon against European countries.[19] Russian authorities capitalize on the fact that some European countries, such as Estonia, are energy – dependent from Russian exports. Johnson and Gramer also indicate the Moscow’s use of energy exports as a geopolitical cudgel and the threat of a cutoff posed by Russia, which gives it a political leverage.[20] Additionally, Steven Blank remarks that “these attacks on U.S. and European political and economic actors and institutions fit in with Moscow’s larger strategy of subverting governments and unnerving potential opponents.”[21] However, Russia is not the only case of state sponsored cyber espionage. Pagananni also suggests that cyber espionage attacks originate from China and Israel. [22] Lastly, Fireye reported an Iranian cyber espionage actions on the energy sector of its adversaries.[23]

 

Significantly, a future trend in the intergovernmental relations pertains to a more frequent exploitation of methods such as cyber espionage, since they could provide a state with a competitive advantage, fortified power and economic and technological lead in the global arena.  As the competition in the energy sector is reinforced, the geopolitical tensions remain high and the cyber space marks a growing worldwide expansion, the cyber espionage will surely not abate.

 

All in all, one of the emerging national and global energy security threats is cyber espionage on the energy infrastructure and industry. The gradual appearance of this menace derives from three factors, which interact and interconnect. The vital role of energy in the prosperity, security and economic growth of a state has been clarified and conceptualised by governments long ago. Reliable, uninterrupted, safe and stable and at an affordable price provision of energy sources is one of the main objectives of many states’ political agenda. But in today’s highly interconnected and digitalised world, the energy security is put in danger, as states explore new methods of gaining political and economic merits and reaching an advantageous position in the global competition in energy markets. As the recent case of Dragonfly shows, cyber espionage has growing potential as a new weapon and its use against the energy sector and infrastructure is already highly noticed.

 

EDITOR: SOFIA TZAMARELOY Intelligence Research Team Coordinator.

 

[1] World Energy Council (2013). World Energy Resources. Retrieved from: https://www.worldenergy.org/wp-content/uploads/2013/09/Complete_WER_2013_Survey.pdf

[2]U.S. Energy Information Administration. (2016). International Energy Outlook. Retrieved from: https://www.eia.gov/outlooks/ieo/pdf/buildings.pdf

[3]U.S. Energy Information Administration. (2018, May 3). How much energy is consumed in U.S. residential and commercial buildings. Retrieved from: https://www.eia.gov/tools/faqs/faq.php?id=86&t=1

[4]Bergasse, E. (2013, February). The relationship between energy and economic and social development in the southern Mediterranean. MEDPRO Technical Report, 27. Retrieved from: https://www.files.ethz.ch/isn/161565/MEDPRO%20TR27%20Bergasse%20Energy%20Supply%20and%20Demand%20Policies%20and%20Development%20rev.pdf

[5]Energy Pact Foundation. (2014, October 10). CYBERSPACE, ENERGY & DEVELOPMENT: Protecting Critical Energy Infrastructure. Retrieved from: https://www.energypact.org/cyberspace-energy-development/

[6]Energy Pact Foundation. (2014, October 10). CYBERSPACE, ENERGY & DEVELOPMENT: Protecting Critical Energy Infrastructure. Retrieved from: https://www.energypact.org/cyberspace-energy-development/

[7]https://www.ft.com/content/1fc89bd8-996c-11e7-8c5c-c8d8fa6961bb

[8]Energy Pact Foundation. (2014, October 10). CYBERSPACE, ENERGY & DEVELOPMENT: Protecting Critical Energy Infrastructure. Retrieved from: https://www.energypact.org/cyberspace-energy-development/

[9]Paganini, P. (2017, September 7). Dragonfly 2.0: the sophisticated attack group is back with destructive purposes. Security affairs. Retrieved from: http://securityaffairs.co/wordpress/62782/hacking/dragonfly-2-0-campaigns.html

[10]Limbago, A. L. (2017, September 6). The Escalation of Destructive Attacks: Putting Dragonfly in Context. Endgame. Retrieved from: https://www.endgame.com/blog/technical-blog/escalation-destructive-attacks-putting-dragonfly-context

[11]Symatex. (2017, October 20). Dragonfly: Western energy sector targeted by sophisticated attack group. Retrieved from: https://www.symantec.com/blogs/threat-intelligence/dragonfly-energy-sector-cyber-attacks

[12]Symatex. (2017, October 20). Dragonfly: Western energy sector targeted by sophisticated attack group. Retrieved from: https://www.symantec.com/blogs/threat-intelligence/dragonfly-energy-sector-cyber-attacks

[13][13]Limbago, A. L. (2017, September 6). The Escalation of Destructive Attacks: Putting Dragonfly in Context. Endgame. Retrieved from: https://www.endgame.com/blog/technical-blog/escalation-destructive-attacks-putting-dragonfly-context

[14]Symantec Security Response. (2014, July 2). Dragonfly: Cyberespionage Attacks Against Energy Suppliers. Security Response. Retrieved from: http://www.scadahackr.com/library/Documents/Cyber_Events/Symantec%20-%20Security%20Response%20-%20Dragonfly%20v1.2.pdf

[15]MSS Global Threat Response. (2014, June 30). Emerging threat: Dragonfly/Energetic Bear – APT Group. Symantex. Retrieved from: https://www.symantec.com/connect/blogs/emerging-threat-dragonfly-energetic-bear-apt-group

[16]MSS Global Threat Response. (2014, June 30). Emerging threat: Dragonfly/Energetic Bear – APT Group. Symantex. Retrieved from: https://www.symantec.com/connect/blogs/emerging-threat-dragonfly-energetic-bear-apt-group

[17]Paganini, P. (2017, September 11). Dragonfly 2.0: The Alleged Nation-State Actor Hits the Energy Sector Again. InfoSec Institute. Retrieved from: http://resources.infosecinstitute.com/dragonfly-2-0-alleged-nation-state-actor-hit-energy-sector/

[18]United States Computer Emergency Readiness Team. (2018, March 15). Russian Government Cyber Activity Targeting Energy and Other Critical Infrastructure Sectors. Retrieved from: https://www.us-cert.gov/ncas/alerts/TA18-074A

[19]Collins, G. (2017, July 18). Russia’s Use of the “Energy Weapon” in Europe. Rice University’s Baker Institute for Public Policy. Retrieved from: https://www.bakerinstitute.org/media/files/files/ac785a2b/BI-Brief-071817-CES_Russia1.pdf

[20]Johnson, K. & Gramer, R. (2017, December 12). Congress Weighs Threat of Moscow Wielding the Energy Weapon. Foreign Policy. Retrieved from: http://foreignpolicy.com/2017/12/12/congress-weighs-threat-of-moscow-wielding-the-energy-weapon-russia-pipeline-politics-nord-stream-two-europe-natural-gas-l-n-g-senate-europe/

[21]Blank, S. (2017, October 17). Russia has weaponized the energy sector in war against the West. The Hill. Retrieved from: http://thehill.com/opinion/international/355742-russias-has-weaponized-the-energy-sector-in-war-against-the-west

[22]Paganini, P. (2012 September 27). Cyber espionage on energy secotr, Chinese hackers are not only. Security Affairs. Retrieved from: http://securityaffairs.co/wordpress/8951/malware/cyber-espionage-on-energy-sectorchinese-hackers-are-not-the-only.html

[23]O’ Leary, J., Kimble, J., Vanderlee, K. & Fraser, N. (2017, September 20). Insights into Iranian Cyber Espionage: APT33 Targets Aerospace and Energy Sectors and has Ties to Destructive Malware. FireEye. Retrieved from: https://www.fireeye.com/blog/threat-research/2017/09/apt33-insights-into-iranian-cyber-espionage.html