{
	"id": "98599771-9d77-4a8f-af6a-61fcd1f4b902",
	"created_at": "2026-04-06T15:52:08.622749Z",
	"updated_at": "2026-04-10T03:36:24.63919Z",
	"deleted_at": null,
	"sha1_hash": "56f04a8a7bd6c924ba03ad6b1e3da546a791d1f8",
	"title": "Hackers Have Penetrated Energy Grid, Symantec Warns | Fortune",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 44394,
	"plain_text": "Hackers Have Penetrated Energy Grid, Symantec Warns | Fortune\r\nBy Robert Hackett\r\nArchived: 2026-04-06 15:29:52 UTC\r\nHackers have been burrowing their way inside the critical infrastructure of energy and other companies in the U.S.\r\nand elsewhere, warns cybersecurity giant Symantec.\r\nIn a new report, Symantec (SYMC) claims that the threat of cyberattack-induced power outages in the west has\r\nelevated from a theoretical concern to a legitimate one in recent months. “We’re talking about activity we’re\r\nseeing on actual operational networks that control the actual power grid,” Eric Chien, technical director of security\r\ntechnology and response at Symantec, told Fortune on a call.\r\nReports surfaced over the summer of hackers targeting staff at nuclear energy facilities with phishing attacks,\r\ndesigned to steal login credentials or install malware on machines. The extent of the campaign as well as the\r\nquestion of whether the attackers had breached operational IT networks, rather than merely administrative ones,\r\nwas unclear at the time.\r\nSymantec is now erasing all doubt. “There are no more technical hurdles for them to cause some sort of\r\ndisruption,” Chien said of the hackers. “All that’s left is really motivation.”\r\nGet Data Sheet, Fortune’s technology newsletter.\r\nSymantec detailed its findings in a report released Wednesday morning. The paper tracks the exploits of a hacker\r\ngroup that Symantec has dubbed DragonFly 2.0, an outfit that the company says it has linked to an earlier series of\r\nattacks perpetrated between 2011 and 2014 by a group it dubbed DragonFly.\r\nAdam Meyers, vice president of intelligence at CrowdStrike, a billion-dollar cybersecurity startup, said his team\r\nhad been tracking the group, which it dubbed Berserk Bear, since 2015. He disputed Symantec’s attribution,\r\nsaying there is no reason to believe that DragonFly—nicknamed “Energetic Bear” by CrowdStrike—and\r\nDragonFly 2.0 (aka Berserk Bear) were linked.\r\nIn Meyers view, there’s not enough evidence to tie the two groups together, especially given that source code for\r\nsome of the malicious software used in the most recent attacks leaked in 2010, he said. In other words, anyone\r\ncould incorporate the code into their own hacking tools.\r\nMeyers did wager a guess about the origin of the attacks, however. “It’s likely a Russian actor targeting global\r\nenergy and related industries,” Meyers added, noting that the intrusions appeared to align with Moscow’s strategic\r\ninterests.\r\nThe most recent wave of attacks hit energy companies in the U.S., Turkey, Switzerland, Afghanistan, and\r\nelsewhere. The first phase began in December 2015 with a set of phony New Year’s Eve party invitations that\r\nwere actually boobytrapped emails. The intensity and frequency of attacks picked up this year, Symantec said.\r\nhttp://fortune.com/2017/09/06/hack-energy-grid-symantec/\r\nPage 1 of 2\n\nChien said Symantec had notified more than 100 companies in the U.S., Europe, and elsewhere about the attacks.\r\nEven if businesses remove the malware on their computers, the attackers might still be able to use stolen login\r\ncredentials to commandeer the corporate systems, he said.\r\nSuch an attack would echo tactics employed in Ukraine, where attackers infiltrated computers and caused a\r\ntemporary blackout at the end of last year.\r\nRob Lee, CEO of Dragos, a startup that protects critical infrastructure networks, told Fortune that he was, like\r\nMeyers, not sold on Symantec’s attribution work. “I’m not yet confident linking this to Dragonfly, but what\r\nSymantec highlights is a consistent and worrying trend of adversaries targeting U.S. industrial infrastructure,” he\r\nwrote in an email. “Our infrastructure is resilient so folks shouldn’t worry, but we do need to do more in the face\r\nof an aggressive adversary.”\r\nOther experts are more outwardly alarmed by the recent breaches. “We used to talk about what could a cyber\r\nattack do—it could shut down the power grid. That was all hypothetical,” Chien told Fortune. “Now we’re seeing\r\nactivity where, to be honest, if they wanted to disrupt something in the power grid, they could have done it\r\nyesterday.”\r\nBefore President Donald Trump took office, he vowed to conduct a sweeping review of the nation’s and federal\r\ngovernment’s cyber defenses. At the end of last month, a quarter of the president’s National Infrastructure\r\nAdvisory Council quit their advisory posts, saying that the president had devoted “insufficient attention” to\r\ncybersecurity threats to critical infrastructure.\r\nSource: http://fortune.com/2017/09/06/hack-energy-grid-symantec/\r\nhttp://fortune.com/2017/09/06/hack-energy-grid-symantec/\r\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA",
		"MITRE"
	],
	"references": [
		"http://fortune.com/2017/09/06/hack-energy-grid-symantec/"
	],
	"report_names": [
		"hack-energy-grid-symantec"
	],
	"threat_actors": [
		{
			"id": "649b5b3e-b16e-44db-91bc-ae80b825050e",
			"created_at": "2022-10-25T15:50:23.290412Z",
			"updated_at": "2026-04-10T02:00:05.257022Z",
			"deleted_at": null,
			"main_name": "Dragonfly",
			"aliases": [
				"TEMP.Isotope",
				"DYMALLOY",
				"Berserk Bear",
				"TG-4192",
				"Crouching Yeti",
				"IRON LIBERTY",
				"Energetic Bear",
				"Ghost Blizzard"
			],
			"source_name": "MITRE:Dragonfly",
			"tools": [
				"MCMD",
				"Impacket",
				"CrackMapExec",
				"Backdoor.Oldrea",
				"Mimikatz",
				"PsExec",
				"Trojan.Karagany",
				"netsh"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "90307967-d5eb-4b7b-b8de-6fa2089a176e",
			"created_at": "2022-10-25T15:50:23.501119Z",
			"updated_at": "2026-04-10T02:00:05.347826Z",
			"deleted_at": null,
			"main_name": "Dragonfly 2.0",
			"aliases": [
				"Dragonfly 2.0",
				"IRON LIBERTY",
				"DYMALLOY",
				"Berserk Bear"
			],
			"source_name": "MITRE:Dragonfly 2.0",
			"tools": [
				"netsh",
				"Impacket",
				"MCMD",
				"CrackMapExec",
				"Trojan.Karagany",
				"PsExec"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "1a76ed30-4daf-4817-98ae-87c667364464",
			"created_at": "2022-10-25T16:47:55.891029Z",
			"updated_at": "2026-04-10T02:00:03.646466Z",
			"deleted_at": null,
			"main_name": "IRON LIBERTY",
			"aliases": [
				"ALLANITE ",
				"ATK6 ",
				"BROMINE ",
				"CASTLE ",
				"Crouching Yeti ",
				"DYMALLOY ",
				"Dragonfly ",
				"Energetic Bear / Berserk Bear ",
				"Ghost Blizzard ",
				"TEMP.Isotope ",
				"TG-4192 "
			],
			"source_name": "Secureworks:IRON LIBERTY",
			"tools": [
				"ClientX",
				"Ddex Loader",
				"Havex",
				"Karagany",
				"Loek",
				"MCMD",
				"Sysmain",
				"xfrost"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "3a0be4ff-9074-4efd-98e4-47c6a62b14ad",
			"created_at": "2022-10-25T16:07:23.590051Z",
			"updated_at": "2026-04-10T02:00:04.679488Z",
			"deleted_at": null,
			"main_name": "Energetic Bear",
			"aliases": [
				"ATK 6",
				"Blue Kraken",
				"Crouching Yeti",
				"Dragonfly",
				"Electrum",
				"Energetic Bear",
				"G0035",
				"Ghost Blizzard",
				"Group 24",
				"ITG15",
				"Iron Liberty",
				"Koala Team",
				"TG-4192"
			],
			"source_name": "ETDA:Energetic Bear",
			"tools": [
				"Backdoor.Oldrea",
				"CRASHOVERRIDE",
				"Commix",
				"CrackMapExec",
				"CrashOverride",
				"Dirsearch",
				"Dorshel",
				"Fertger",
				"Fuerboos",
				"Goodor",
				"Havex",
				"Havex RAT",
				"Hello EK",
				"Heriplor",
				"Impacket",
				"Industroyer",
				"Karagany",
				"Karagny",
				"LightsOut 2.0",
				"LightsOut EK",
				"Listrix",
				"Oldrea",
				"PEACEPIPE",
				"PHPMailer",
				"PsExec",
				"SMBTrap",
				"Subbrute",
				"Sublist3r",
				"Sysmain",
				"Trojan.Karagany",
				"WSO",
				"Webshell by Orb",
				"Win32/Industroyer",
				"Wpscan",
				"nmap",
				"sqlmap",
				"xFrost"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "5cbf6c32-482d-4cd2-9d11-0d9311acdc28",
			"created_at": "2023-01-06T13:46:38.39927Z",
			"updated_at": "2026-04-10T02:00:02.958273Z",
			"deleted_at": null,
			"main_name": "ENERGETIC BEAR",
			"aliases": [
				"BERSERK BEAR",
				"ALLANITE",
				"Group 24",
				"Koala Team",
				"G0035",
				"ATK6",
				"ITG15",
				"DYMALLOY",
				"TG-4192",
				"Crouching Yeti",
				"Havex",
				"IRON LIBERTY",
				"Blue Kraken",
				"Ghost Blizzard"
			],
			"source_name": "MISPGALAXY:ENERGETIC BEAR",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "e2a4bc0b-6745-4e55-9d7c-3d169d70b025",
			"created_at": "2022-10-25T16:07:23.386907Z",
			"updated_at": "2026-04-10T02:00:04.576815Z",
			"deleted_at": null,
			"main_name": "Berserk Bear",
			"aliases": [
				"Berserk Bear",
				"Dragonfly 2.0",
				"Dymalloy",
				"G0074"
			],
			"source_name": "ETDA:Berserk Bear",
			"tools": [
				"Fuerboos",
				"Goodor",
				"Impacket",
				"Karagany",
				"Karagny",
				"LOLBAS",
				"LOLBins",
				"Living off the Land",
				"Phishery",
				"Trojan.Karagany",
				"Trojan.Phisherly",
				"xFrost"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775490728,
	"ts_updated_at": 1775792184,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/56f04a8a7bd6c924ba03ad6b1e3da546a791d1f8.pdf",
		"text": "https://archive.orkl.eu/56f04a8a7bd6c924ba03ad6b1e3da546a791d1f8.txt",
		"img": "https://archive.orkl.eu/56f04a8a7bd6c924ba03ad6b1e3da546a791d1f8.jpg"
	}
}