Hackers who’ve been unleashing attacks on at least 50 oil- and energy companies in Norway recently are using a program called “Crouching Yeti,” which can be used to sabotage industrial systems. Those behind the program also use the name “Energetic Bear,” but no one can say for sure where they’re based.
Newspaper Dagens Næringsliv (DN) reported over the weekend that the hackers also use the names “Havex” and “Dragonfly,” and have earlier attacked energy companies in several other countries, all of them members of the defense alliance NATO.
Espionage and sabotage
“What’s special about them (the hackers) is that they don’t only steal information from employees’ computers, but they also search through the network for industrial management systems,” Jan Roger Wilkens, an analyst in Telenor’s security center, told DN. That, he noted, opens up the possibility for both industrial espionage and sabotage.
“If they had been able to use their sabotage capacity, they could have damaged or disrupted energy supplies in the countries that were attacked,” security firm Symantac wrote last summer, before the latest wave of attacks in Norway. Statoil and several other Norwegian companies managed to fend off the attacks they were warned about by national security authority NSM (Nasjonal sikkerhetsmyndighet).
Symantec mentioned seven countries, all members of NATO, that had been attacked so far, including the US, Spain, France, Germany, Turkey and Poland, and now Norway. The attacks began in 2011 and are directed at oil companies, operators of energy networks and other power and energy equipment producers.
“We were able to warn about the attacks early, and that may have had a preventive effect,” Hans Christian Pretorius of NSM told DN. NSM said its warnings to a total of 300 companies constituted its largest ever regarding a cyber attack.
Pretorius said he was fairly confident the attacks had been stopped, given feedback he’d had from Norwegian companies targeted. Among them was a confirmed attack against Statnett in Norway, while waterways and energy agency NVE was also on the alert. NVE, for example, is in charge of Norway’s dams and hydroelectric power system.
DN reported that many have speculated who is actually behind “Energetic Bear,” with Russians often mentioned. The hackers are believed to be backed by considerable resources, but Pretorius wouldn’t be drawn on possible culprits. Cyber attacks occur “all the time,” he noted, against all machines hooked up to the Internet.
Symantec thinks “Energetic Bear” has taken over for “Stuxnet,” which mounted a major sabotage attack against the Iranian nuclear reactor in 2010. It was believed to be the first attack on industrial management systems, and delayed Iran’s nuclear atomic program, reported DN.