DHS sorts through ‘mountain’ of data on energy cyberthreat

By Blake Sobczak | 07/14/2017 07:34 AM EDT

Department of Homeland Security specialists are in the “early” stages of decoding a sophisticated hacking campaign targeting energy, nuclear power and manufacturing firms this year, according to an official familiar with the case.

Department of Homeland Security specialists are in the "early" stages of decoding a sophisticated hacking campaign targeting energy, nuclear power and manufacturing firms this year, according to an official familiar with the case.

Mark Bristow, deputy division director for the Hunt and Incident Response Team [HIRT] at DHS’s National Cybersecurity and Communications Integration Center, said the agency had not identified any risk to public safety from the cyber incidents, which date back to at least May and were first reported by E&E News last month (Energywire, June 27).

Bristow said that there was so far nothing "abnormal or unusual" about the recent malicious activity but added that federal officials treat any such events as "a serious matter."


"We take even what might be considered reasonably mundane intrusions into corporate environments of critical infrastructure asset owners very seriously, in the event that this is just the first stage of an intrusion with an intention to cause physical damage or anything like that," Bristow said. "The challenge with [cybersecurity] is that the difference in time between an adversary just gaining access and poking around and attempting to have an effect or consequence can be very short. So we have to take it seriously from the beginning to ensure that public safety impact won’t — or can’t — be realized."

The recent hacking campaign relied on "spearphishing" emails to lure employees into clicking on a hijacked resume for a "controls engineer," according to multiple sources and documents. The hackers also booby-trapped webpages likely to be visited by power-sector workers in a "watering hole" attack, among other tactics.

The Washington Post reported Saturday that U.S. government officials have already linked the digital assailants to Russia (Energywire, July 10). The New York Times first disclosed last week that the Wolf Creek Nuclear Operating Corp. was among the companies affected by the breach.

A spokeswoman for the Kansas-based nuclear power facility declined to comment on security matters but said there has been no impact to safety systems. The Nuclear Regulatory Commission, which monitors safety and cybersecurity at the reactor level of nuclear power plants, said the case "is not related to the cyber assets under our regulations and oversight," indicating the cyberthreat never reached that tightly guarded level.

But were hackers aiming for nuclear operations?

Bristow declined to name targets or speculate on the adversary’s ultimate goals. But he offered a general warning about jumping to conclusions so early in any investigation.

"Even if you see something that’s targeted at control engineers, it doesn’t necessarily mean that they’re going after control systems — or it could," he said. "This is the challenge that we have: trying to make sense of a mountain of data and make assessments."

In a phone interview yesterday, he pointed out that "there’s a perception that because cyber moves so fast, that the investigation and the analysis also will move as fast — and that’s just not true."

Hunting for clues

DHS’s Hunt and Incident Response Team was launched last October to help identify and root out suspicious activity on key federal and private networks. The group of cybersecurity specialists was drawn from both the IT-focused U.S. Computer Emergency Readiness Team and the more operationally savvy Industrial Control Systems Cyber Emergency Response Team, where Bristow worked before leading HIRT.

Like most DHS cybersecurity offices, Bristow and his crew help critical infrastructure operators and government agencies on a voluntary basis. They may be called in to investigate after a suspected breach — the "incident response" part of the mission — or invited to simply "hunt" around on seemingly calm systems.

"Our bread and butter on both sides is looking for anomalies," Bristow said. "One of the scariest things I can have happen is one of my [team members] saying, ‘Huh, that looks strange.’"

He declined to detail the size of the team, citing security concerns, but noted that the group is readying itself to "rise to the challenge if something large-scale occurs."

The DHS branch housing HIRT was one of the few government offices that was spared budget cuts under President Trump’s fiscal 2018 proposal, and would instead see a more than $50 million boost compared to 2017 levels (Energywire, June 1).

Bristow said that awareness of critical infrastructure security has grown since 2010, when news first emerged of the Stuxnet worm that damaged Iranian nuclear centrifuges in the late 2000s.

Now, he said his team encounters "constant activity" directed against critical infrastructure providers, but noted that fact alone isn’t cause for alarm.

"When people see any type of thing ‘cyber’ in interesting industries like energy or nuclear, they get very excited," he said. "It’s most important to keep a calm head. The lights stayed on yesterday — they were working, at least, here in Virginia. There is a whole cadre of dedicated professionals both in the government and private sector and academia who are working this issue."