Electric utilities are grappling with the fallout from one of the most significant cyber intrusions in years, as the far-reaching impact of a sophisticated hacking campaign comes into sharper focus.
Four days after the supply chain cyberattack on IT service provider SolarWinds was revealed, details on its global victims — from federal agencies to oil and electricity companies — are still emerging (Energywire, Dec. 15).
The SolarWinds software hijacked by suspected Russia-linked hackers was widely used by U.S. power providers, experts say, leaving many companies scrambling to find out if they’re affected by the breach. And sources say a simple software update or patch won’t erase the threat from the "Sunburst" malware: Organizations targeted by the hackers will likely have additional malware installed that could be difficult to find.
"Any organization that says, ‘Yep, we got it solved. It’s all good,’ in the next 90 days: I would respectfully disagree," said Jim Guinn, global managing director for cybersecurity in energy, chemicals, utilities and mining at Accenture.
The number of agencies and organizations that may have been hit by the cyber espionage campaign is unclear. Reuters first reported that the Commerce, Treasury and Homeland Security departments were among those targeted. The list of agencies has since grown to include the State Department and the Pentagon, The New York Times reported, citing anonymous sources familiar with the ongoing investigations.
In a joint statement yesterday, DHS’s Cybersecurity and Infrastructure Security Agency, the FBI and the Office of the Director of National Intelligence said they have formed a "Cyber Unified Coordination Group to coordinate a whole-of-government response" to the hacking campaign.
"This is a developing situation, and while we continue to work to understand the full extent of this campaign, we know this compromise has affected networks within the federal government," the agencies said.
The scope of customers that used SolarWinds ranges from government agencies to Fortune 500 manufacturers and power utilities. In an SEC filing, SolarWinds estimated that 18,000 or fewer customers downloaded the malicious update containing the Sunburst malware.
According to federal records, the Federal Energy Regulatory Commission and the Bureau of Ocean Energy Management had contracts with SolarWinds in recent years. It’s not clear if the Orion product was used and if those agencies downloaded the malicious update. The Department of Energy’s Sandia and Oak Ridge national laboratories also used SolarWinds, according to a now-deleted webpage listing the Austin, Texas-based IT firm’s customers.
DOE did not respond to requests for comment. FERC declined to comment. BOEM deferred comment to DHS, which is leading the federal response to the hack.
SolarWinds’ customer page also listed the New York Power Authority as a client. NYPA confirmed it uses SolarWinds products and said they are working in "close collaboration with our industry cybersecurity associations and government agencies" to determine the potential impact.
"Our thorough analysis has so far determined that there are no adverse impacts or exposures to our systems," an NYPA spokesperson said. "We continue to review our layered security controls to ensure that activities associated with this threat are appropriately blocked and we will take all necessary steps to secure our networks."
The scope of the breach has put utilities across the country on high alert. San Francisco-based Pacific Gas and Electric Co. told E&E News that even though they did not have SolarWinds products installed on their company networks, "out of an abundance of caution we conducted an assessment and found no impacts or breach of our network resulting from this attack," a PG&E spokesperson said.
The Electricity Subsector Coordinating Council, whose energy industry CEO members help coordinate the U.S. response to grid emergencies, held a "situational awareness call" Monday on cyberthreats from SolarWinds.
Some critical infrastructure operators have already been hacked, according to cybersecurity companies. Industrial cybersecurity firm Dragos Inc. said that there are "industrial entities compromised in this campaign." Dragos has customers globally, and the company did not specify where the victims were based.
Fully rebuilding trust in IT systems is going to be a long haul, cybersecurity experts say, and rooting out the Sunburst malware is just the beginning.
The SolarWinds campaign began as early as March, according to cybersecurity firm FireEye Inc. and Microsoft Corp., meaning the hackers have had ample time to create additional backdoors and malware.
In a statement yesterday, a FireEye spokesperson said that they have discovered a "kill switch" in the Sunburst malware that can deactivate it. FireEye also said that, alongside Microsoft and domain registrar GoDaddy Inc., it had seized control over one of the internet domains used by the hackers to send commands to compromised computers.
However, FireEye warned that the hackers "moved quickly to establish additional persistent mechanisms to access to victim networks" — and the kill switch won’t cut off those other backdoors.
"You’re talking about someone who broke into the Smithsonian and has been there for eight months looking and figuring out which are the most expensive pieces of art to steal," Accenture’s Guinn said.
Guinn said the biggest threat from the hacking campaign is not the Sunburst malware but the other potential backdoors that could have been installed. Utilities need to assume they’ve been compromised and proactively hunt for other possible cyberthreats, Guinn said — a painstaking process that could take months.
"Every one of the critical utilities globally that know that they have used these software packages … need to take this very seriously. I would even say to the extent it would be as if it was a massive outage," Guinn said.
The level of network analysis could prove difficult for some of the utilities that lack cybersecurity resources, experts noted.
"Not all organizations are equipped for this, not all of them have the talent to do this, or the tools to do this, or the time to do this," said Patrick Miller, managing partner at Archer Energy Solutions LLC and a former auditor for the North American Electric Reliability Corp., which sets and enforces U.S. grid cybersecurity standards.
One silver lining for some smaller utilities, Miller noted, is the fact that the malware infected up to 18,000 organizations. The hackers would have had to prioritize the biggest targets, Miller said, and smaller utilities with 25 employees may not have been worth the effort.
**Sign up to receive digestible and insightful energy cybersecurity news and analysis from E&E News. Once a week in your inbox.**