A sophisticated group of hackers has targeted U.S. nuclear plants in a wide-ranging hacking campaign since at least May, according to multiple U.S. authorities.
The hackers tried to steal usernames and passwords in the hope of burrowing deep into nuclear power networks, in addition to other utility and manufacturing targets.
But the Department of Homeland Security, the FBI, sources familiar with the ongoing investigation and nonpublic government alerts told E&E News that heavily guarded nuclear safety systems were left unscathed by any recent cyber intrusions. Experts say the evidence so far points to a remote threat that, while advanced, likely could not have leaped from corporate business networks to the critical but isolated computer networks keeping nuclear reactors operating safely.
Still, the question that lingers is, who did it?
Suspicion has fallen on hackers with ties to Russia, in part because of past intrusions into U.S. companies and for Russia-linked attacks on Ukraine's power grid in 2015 and 2016.
Ukrainian security services laid the blame for the grid hacks at Russian President Vladimir Putin's feet. Several private U.S. cybersecurity companies have also drawn links between energy industry-focused hacking campaigns with names like "Energetic Bear" back to Russian intelligence services.
The Washington Post reported Saturday that U.S. government officials have already pinned the recent nuclear cyber intrusions on Russia.
Analysts remain quick to tamp down assertions that Russia's fingerprint on the latest attack is a sure thing.
Without mentioning any nation-state by name, former Energy Secretary Ernest Moniz noted on Twitter that "these 'advanced persistent threats' have long worried U.S. intelligence officials — and recent events prove they are very real."
Referencing reports of the recent nuclear cyber incidents, he added, "These breaches make plain that foreign actors are looking for ways to exploit US grid vulnerabilities. We saw this coming."
If U.S. intelligence agencies confirm Russian security services were involved in the attack on nuclear plants, tensions with Moscow could escalate. In a Twitter comment that attracted bipartisan ridicule, President Trump yesterday morning said that he and Putin had agreed to create an "impenetrable Cyber Security unit" to guard against hacking, only to apparently reverse his position hours later and suggest such an arrangement "can't" happen.
The FBI, the Office of the Director of National Intelligence and the CIA, among other intelligence groups, have already concluded that Russia's government supported a hacking campaign aimed at influencing the outcome of last year's U.S. presidential election. Throughout the campaign and the first months of his presidency, Trump has demurred over the level of Russia's involvement in malicious activity directed against the U.S., particularly with regard to the election.
Trump has called for stronger cybersecurity for critical infrastructure such as the power grid. But his critics are pointing to both the notion of a joint U.S.-Russia cyber unit and the administration's proposed budget cuts to agencies responsible for energy cybersecurity.
"It's not the dumbest idea I've ever heard, but it's pretty close," Sen. Lindsey Graham (R-S.C.) said of the joint U.S.-Russia cyber unit.
Sen. Maria Cantwell (D-Wash.), ranking member of the Senate Energy and Natural Resources Committee, reiterated her calls for the White House to assess energy-sector cyber vulnerabilities and abandon proposed budget cuts at the Department of Energy. "The disturbing reports of the past 24 hours indicate that our adversaries are trying to take advantage of the very real vulnerabilities of our energy infrastructure's cyber defenses," she said Friday.
Drawing from the Ukraine playbook
In 2015, a group of hackers set sights on several Ukrainian electric distribution companies. The intruders broke into the utilities' business networks with "phishing" emails designed to lure employees into clicking on a document laced with malware.
From there, the attackers mapped out their victims' computer systems, even gaining access to the virtual private network utility workers used to remotely operate parts of Ukraine's electric grid.
On Dec. 23, 2015, after months of waiting and spying, the hackers struck, logging onto the operational network and flipping circuit breakers at electric substations. They succeeded in cutting power to several hundred thousand Ukrainian citizens for a few hours in what became the first known cyberattack on a power grid in the world.
At first glance, the latest nuclear hackers appear to have drawn from the same playbook.
They used a "fairly creative" phishing email to gain a foothold on targeted networks, according to Craig Williams, senior technical leader and global outreach manager for Cisco Talos, a cybersecurity research division of Cisco Systems Inc.
Instead of stowing malware in the Word document itself, the hackers tweaked a control engineer's résumé into beaconing out to a malicious server via a Microsoft communications protocol called Server Message Block. The cyber intruders could then swipe fragments of SMB traffic containing the victims' login information to set up an authorized connection to the targeted network and move on from there, Williams explained.
The technique points to "attackers who are dedicated and who've done their research," he noted.
While Williams said Cisco had detected a variety of energy companies hit by the phishing emails, he pointed out that "the nuclear sector is extremely hardened."
Nuclear power plant operators have to abide by their own set of cybersecurity rules established by the Nuclear Regulatory Commission. Following its most recent cybersecurity audits in 2015, the NRC reported "several very low security significance violations of cyber security plan requirements."
None of those violations could have resulted in an imminent threat to nuclear safety, the regulator said.
The NRC plans to ramp up cybersecurity inspections later this year. The agency has declined to comment on reports of the recent cyber breaches at nuclear power generation sites.
Nuclear power companies have had to account for the possibility of a cyberattack on their safety systems since 2002, according to NRC guidance.
Electric utilities typically adhere to a three-step model for protecting their most sensitive systems from hackers. At a basic level, this setup involves an information technology network — such as a utility's internet-connected corporate headquarters — and an operational network that includes grid control systems. Companies typically add a third layer or "demilitarized zone" bridging those two sides of the business, replete with firewalls, cybersecurity technologies and other safeguards.
Nuclear operators add at least two more layers to that model, drawing lines among the public internet, the corporate network, onsite local area networks, industrial "data acquisition" networks and, finally, the core safety system overseeing radioactive materials, based on government guidelines.
In the U.S., safety systems are often still "analogue," having originally been built in the 1980s or earlier, before the recent spread of web-connected technologies.
Within that last, critical zone — Level 4 in nuclear industry parlance — tight physical controls prevent phones and USB drives from getting in; and operational data is designed to flow only outward through "data diodes," with no potential for online commands to enter from the public internet or even the site's own local area network.
"Anybody ever reports that somebody got a connection from the internet directly or indirectly into the heart of a nuclear control system is either full of crap, or is revealing a massive problem with some particular site, because there should be physically no way for that to actually be possible," said Andrew Ginter, vice president of Waterfall Security Solutions, which markets one such "unidirectional gateway" or data diode to the U.S. nuclear sector. "To me, it's almost inconceivable."
Marty Edwards, managing director of the Automation Federation, who until last month headed a team of industrial control security specialists at DHS, generally agreed that a remote connection would be nearly impossible to achieve. "When we tested those kinds of [one-way] devices in the lab, we found that you couldn't circumvent any of them, basically, because they're physics-based," he said. "There's no way to manipulate that stream."
One source familiar with nuclear information technology practices, who agreed to speak about security matters on condition of anonymity, said that "in order to have a catastrophic impact, you have to get by the human in the control room" — no easy feat. "You're talking workers who are regularly screened for insider [threat] indicators and psychological stability."
Still, the source said a well-resourced attacker could try sneaking in thumb drives, planting an insider or even landing a drone equipped with wireless attack technology into a nuclear generation site. Reports indicate that the infamous Stuxnet worm, which damaged Iranian nuclear centrifuges in the late 2000s, probably snuck in on removable media. Once inside the "air gapped" target network, Stuxnet relied on its own hard-coded instructions, rather than any remote commands sent in through the internet, to cause costly and sensitive nuclear equipment to spin out of control.
But the source, who had reviewed recent DHS and FBI warnings about recent nuclear cyberthreats, added that there was no indication the actor behind it got close to nuclear operators' crown jewels.
"To get around the data diodes and all the other defenses, it'd be unprecedented at this point," at least from a U.S. perspective, said the source.
Would it even be possible?
"Maybe if you're Vladimir Putin," the source said.
Reporter Peter Behr contributed.