The western energy sector is being targeted by a sophisticated attack group with links to Russia, according to a Symantec report.

The Californian security giant has pointed to a resurgence in attacks on the energy industry in Europe and North America, which it links to the re-emergence of cyber espionage group Dragonfly.

The initial Dragonfly group has been operating since 2011, but went through a quiet spell in 2014 after being exposed by researchers, including those at Symantec. However, the new report states that the group appears to have begun working again in late 2015, under the guise ‘Dragonfly 2.0.’

Symantec’s report is cautious on identifying these attackers as being definitely connected to Dragonfly’s previous form, but it does postulate strong links:  ‘While Symantec cannot definitively determine Dragonfly’s origins, this is clearly an accomplished attack group.’

It also notes that the Heriplor and Karagany Trojans were used by both the current and earlier Dragonfly campaigns. Symantec does not directly address the Russian connection to Dragonfly, but does note that some code strings in the malware were written in Russian – but also that others were written in French. According to the security firm, this suggests one of these languages is a ‘false flag.’

Previous reports by other security firms have explicitly identified the group as Russian, such as Crowdstrike, which identifies Dragonfly as ‘Energetic Bear’, and FireEye.

Symantec states that the group is now likely to have the ability to access and sabotage energy facilities systems should it choose to. Cyber-attack groups have become increasingly interested in energy facilities and companies in the last two years, according to the report.

The group uses a number of techniques to infect its targets, including malicious emails and Trojans. Symantec identifies Dragonfly 2.0’s earliest activity as an email campaign targeted at those in the energy sector masquerading as an invitation to a New Year’s Eve party.

A continued email campaign in 2016 contained some industry-specific information, and an attached document which, once opened, would attempt to leak the victim’s credentials to an outside server. As well as this, the group used what is known as ‘watering hole’ techniques, where they would carry out attacks on, and compromise, websites that were likely to be attacked by those in the energy industry.

VP of technology at security firm BeyondTrust, Morey J. Haber, commented: ‘As with many modern attacks, exploits that allow privileged escalation or the stealing of credentials are required by a threat actor in order to successfully breach an organisation. The security community has observed this with targeted attacks against the energy sector.’

‘Organisations need to protect all privileged access ensuring credential best practices are met.’