Data security firm Symantec has been sounding alarm bells with reports of an ongoing cyber espionage campaign by a group dubbed Dragonfly aimed primarily at the energy sector. The group’s initial targets were defense and aviation companies in the U.S. and Canada, but in early 2013 the focus shifted to U.S. and European energy firms. According to Symantec, Dragonfly has managed to compromise a number of strategically important organizations for spying purposes and could potentially damage or disrupt energy supplies.
A disruption to parts of the U.S. energy grid could be disastrous and put data center providers and customers through some rough times. While data centers generally have multiple layers of infrastructure redundancy and backup power supplies to ride out utility outages, prolonged grid-power interruptions could lead to data center outages.
The Dragonfly group has a range of malware tools at its disposal and could launch attacks in multiple ways. Also known as “Energetic Bear,” it has been in operation since at least 2011. Symantec says it bears the hallmarks of a state-sponsored operation, displaying a high degree of technical capability. Based on an analysis of when they attack, the company says the attackers are likely based in Eastern Europe.
The group started with planting malware in phishing emails sent to personnel in target firms. It moved on to watering-hole attacks, compromising websites likely to be visited by employees in the energy sector with exploit kits. The third phase of the campaign was the Trojanizing of legitimate software bundles belonging to three different Industrial Control System equipment manufacturers. Two of them were identified as MB Connect Line, a German maker of industrial routers and remote-access appliances, and eWon, a Belgian firm that makes virtual private network software used to access industrial control devices. The third vendor has not been identified. Through a Trojan, companies installed malware when downloading software updates for computers running ICS equipment.
The previous major malware campaign to target ICS equipment was Stuxnet, which specifically targeted Iran’s nuclear program with the goal of sabotaging it. Dragonfly’s goals are broader, with a focus on espionage and persistent access immediately with sabotage as an option down the line.
Anything connected to Internet
Ron Bradburn, director of technology for Vancouver-based data center provider Peer 1 Hosting, says anything connected or able to connect to the Internet is vulnerable to attacks by such a sophisticated group. “What I found interesting about all of this is the possible linkage to state sponsored espionage, the level of sophistication that these groups are exhibiting, and the growing concerns in the market place to privacy and security,” he says. “The scale of this event is quite large, and the adept way they leveraged different attack vectors make it well organized and strategic in nature.”
Long-term utility outages real threat to data center uptime
It would be difficult to use the tactics used in attacking utilities to create data center outages, but data centers rely on utilities for long-term power supply. “I don’t think data centers themselves could be as attackable as utilities because many of the building management systems run off the Internet,” Vincent Rais, who does business development at EvoSwitch, an Amsterdam-based service provider. “There’s no remote turning on and off for most data centers.”
Jason Yaeger, of Ann Arbor, Michigan-based Online Tech, however, says, “The scary truth is that the data center industry is not as prepared for this kind of electrical grid scenario as clients expect our industry to be. That’s because not all data center and cloud companies have the kinds of systems and protocols in place to be prepared for a lengthy power outage.”
ITC Holdings, a major utility serving Michigan, where Online Tech’s data centers are, has recently filed a cyber-attack incident report, but later said it was a false alarm. Other utilities, Duke Energy and NRG Energy, each filed a report last year detailing suspected cyber attacks. Duke isolated and removed several computers from the rest of the company’s systems and all software was stripped, reinstalled and tested again.
The only way for data center operators to maintain uptime during prolonged utility outages is to sign fuel delivery contracts with multiple vendors to keep their backup generators running.
Mike Terlizzi, executive vice president of engineering and construction at New York-based Telx, said, “When we set up our [fuel] contracts we figure out logistically how they fulfill their SLAs.” If a distributor’s fuel truck has to cross a river to get to a data center, for example, there has to be a contract with another distributor whose trucks have a path without a river in the way.
Pages: 1 2