A sophisticated group of hackers has taken aim at U.S. energy, nuclear and manufacturing firms in recent weeks, according to multiple sources.
The North American Electric Reliability Corp. has warned grid operators about an "advanced persistent threat," which is jargon for a well-resourced hacking campaign typically backed by a nation-state.
The online attackers used booby-trapped websites and email attachments to target the electricity industry and "other critical sectors" in the United States and globally, according to a nonpublic version of the alert reviewed by E&E News.
The NERC alert came on the heels of a separate report on the same hacking campaign from the Department of Homeland Security and FBI. Reuters reported Saturday on that document, which outlined active hacking threats to the nuclear, electricity and manufacturing industries, among others.
The New York Times reported late yesterday that Wolf Creek Nuclear Operating Corp. was among the companies targeted by the hacking campaign. That company, jointly owned by three different energy firms, runs a nuclear power facility near Burlington, Kan.
E&E News first reported last month about a series of cybersecurity breaches affecting multiple nuclear power generation sites in the United States, dubbed "Nuclear 17" (Energywire, June 27). While the extent of those intrusions could not be verified, E&E News confirmed that the cases are related to the broader malicious campaign implicating not just nuclear power facilities but also manufacturers, engineering firms and even a small construction services vendor, dating back to at least May.
When asked about the nuclear breaches late last month, Wolf Creek spokeswoman Jenny Hageman declined to comment on security-related matters. She again declined to comment on security issues in an email last night, "except to confirm there has been absolutely no operational impact to Wolf Creek."
"The reason that is true is because the operational computer systems are completely separate from the corporate network," she said. "The safety and control systems for the nuclear reactor and other vital plant components are not connected to business networks or the internet."
The plant is operating safely, she said.
How the hackers work
Many of the bogus "phishing" emails in the far-reaching hacking campaign purported to come from a construction company that does business with the electricity sector, and had a "CV/resume theme," the NERC alert noted. Unsuspecting employees who clicked through to the attached Word document would risk having their computers compromised and their login credentials whisked away.
The hackers also relied on a "watering hole," the document warned, referring to a technique in which attackers plant malicious code on a website likely to be visited by industrial workers.
The NERC alert describes how attackers could have used a foothold on targeted networks to siphon off employee data sent along the popular SMB Microsoft protocol, then "brute force" encrypted usernames or passwords, ultimately using them to log in to targeted networks and move laterally to other computers.
The NERC document references a separate report by iSIGHT Intelligence, a subsidiary of cybersecurity firm FireEye. ISIGHT declined to provide E&E News with a copy of that report.
But Sean McBride, critical infrastructure lead analyst for iSIGHT, confirmed in an email that the company has "observed watering holes and phishing-style offensives that appear to target energy companies." That includes engineers who could possess product or facility designs and have access to industrial control networks.
However, he added that "some weaponized documents had no obvious connection to the energy sectors."
McBride said that the tactics employed by the hackers are consistent with "state-nexus adversaries, though we do not yet attribute this activity to a particular group."
He added that the firm is not yet prepared to discuss "overall attacker objectives," given that stealing credentials through SMB "represents only a small portion of the entire attack chain."
Industry, government respond
Scott Aaronson, executive director for security and business continuity at the Edison Electric Institute, which represents many of the biggest investor-owned utilities, said the hacking campaign has brought "no impact" to systems controlling the North American energy grid.
"Security professionals from industry and government are working closely to share potential indicators of compromise so energy grid operators can defend their systems," he said.
Aaronson added that the latest cyberthreat is not related to recent outbreaks of ransomware, a type of malware that locks up victims’ computer files and holds the key hostage (Energywire, June 30). Nor is it tied to "CrashOverride," a first-of-its-kind hacking tool that researchers have linked to a brief power outage in Ukraine late last year (Energywire, June 13).
Instead, the attempted phishing and watering hole intrusions add a new entry to a growing list of cyberthreats keeping U.S. grid operators on their toes. So far, hackers aren’t known to have succeeded in physically disrupting any part of the U.S. power grid, though operators say they aren’t taking any chances.
Aaronson said that "following the cyberattacks that impacted grid operations in Ukraine" in 2016 and the previous year, private-sector and federal groups have worked "to learn and apply lessons to enhance defenses for the North American energy grid."
Those organizations include the Electricity Subsector Coordinating Council, a group of 30 high-ranking energy industry executives who meet regularly with government officials to discuss grid threats and vulnerabilities, and the Electricity Information Sharing and Analysis Center, the NERC division that distributed last week’s alert to members.
It’s not yet clear what the hackers were after — disruption, espionage or some other endgame.
"Historically, cyber actors have strategically targeted the energy sector with various goals ranging from cyber espionage to the ability to disrupt energy systems in the event of a hostile conflict," last week’s DHS and FBI report said, according to Reuters.
A DHS spokesman said last night that the agency and FBI are "aware of a potential cyber intrusion affecting entities in the energy sector" but emphasized that "there is no indication of a threat to public safety, as any potential impact appears to be limited to administrative and business networks."
None of the dozens of federal workers, utility representatives and cybersecurity experts contacted by E&E News in recent weeks offered any clues as to where the nuclear-focused hackers may be based.
Robert Lee, CEO of industrial cybersecurity firm Dragos Inc., took to Twitter last night to caution against drawing too many conclusions about the hacking campaign’s origins.
"The details of the case aren’t even public yet," he wrote. "Half of this is gossip theater. Attribution is NOT POSSIBLE yet."