U.S. officials yesterday blamed Russia for a series of cyberattacks aimed at a South Dakota-based energy company and multiple nuclear power plants.
While the hackers stopped short of causing physical damage, they managed to steal data from deep within the control networks of several "energy generation facilities," according to a joint alert from the FBI and the Department of Homeland Security.
The cyber intrusions date back to at least March 2016 and also targeted water, aviation and critical manufacturing firms, the agencies said.
In a related action, the Treasury Department unveiled sanctions against two dozen Russian individuals, agencies and businesses said to be linked to the "ongoing" hacking campaign and others like it, including attempts to sow discord in the 2016 U.S. presidential election.
Former Director of National Intelligence James Clapper Jr. pointed out in an email that the sanctions don't single out Russian President Vladimir Putin and that their effectiveness "depends on how much pain these sanctions actually cause" the individuals named.
Clapper said he did not expect to see the U.S. respond in-kind to the cyber intrusions, "unless we are confident in our ability to withstand and be resilient in the event of a counter-retaliation.
"We try to be precise, surgical, and legalistic; we can't depend on an adversary being similarly precise, surgical, legalistic," he said, citing concerns about the Russians leaving malware implanted in key targets "that they can activate at a time of their choosing."
Several cybersecurity experts said they found the U.S. government's case to be credible, noting that Russia is one of a few nations to have shown both the willingness and technical chops to hack specialized industrial control systems.
Russian hackers are widely thought to have been responsible for turning off the lights to several hundred thousand Ukrainians in December 2015 and again in 2016, marking the only known times cyberattacks have cut off electricity anywhere in the world.
The strikes against U.S. electricity companies appear to have had similarly disruptive goals, though the hackers have quieted down lately, according to Jon DiMaggio, senior threat intelligence analyst at cybersecurity firm Symantec Corp.
"While we haven't seen recent heavy activity, we expect they are retooling and will be back," DiMaggio said in an email.
Last September, Symantec said it had caught the "Dragonfly 2.0" hackers red-handed taking screenshots of sensitive control systems from U.S. and European targets (Energywire, Sept. 12, 2017). Asked at the time whether the attackers could have actually brought down parts of the power grid, DiMaggio demurred but said they seemed determined to arm themselves with that capability.
'I look forward to hearing back'
Yesterday's DHS and FBI alert laid out the hackers' attacking blueprint: They started at vulnerable, third-party suppliers before working their way up to their eventual target.
"[We] characterize this activity as a multi-stage intrusion campaign by Russian government cyber actors who targeted small commercial facilities' networks where they staged malware, conducted spear phishing, and gained remote access into energy sector networks," the agencies said.
At one point, the hackers tempted electricity workers with an emailed resume purporting to come from "Jon Patrick," a control systems engineer from a small construction firm in Michigan. Such "spear phishing" emails often convince victims to click, unwittingly granting hackers a foothold.
"Multi-skilled controls engineer with experience in hands-on project based work," part of the email reads. "Experience ranges from budget estimate and managing electric engineering projects to developing and commissioning software for PLC - SCADA control systems.
"I look forward to hearing back."
The attached file was laced with malware that enabled the attackers to steal usernames and passwords for later use.
"This is an actor that we've seen target engineers — specifically, folks working in the energy sector across multiple Middle Eastern, European and North American countries," said Ben Read, senior manager for cyber espionage analysis at the cybersecurity firm FireEye Inc.
He said much of the technical information in the latest alert "is not going to come as a surprise to a lot of power companies."
"Hopefully most places have already taken action," he said.
At least one South Dakota energy firm learned the hard way, according to nonpublic government and industry alerts reviewed by E&E News.
After more than two dozen phishing attempts on the unnamed company last year, "one user of an active account opened the e-mail and malicious attachment" on May 31, said a report from DHS's Office of Intelligence and Analysis. However, the phishing attack "failed" because the hackers hadn't activated a remote file location needed to launch the second phase of the intrusion, DHS noted.
Other tries broke through to their targets.
DHS and FBI shared a reconstructed screenshot of a control system computer that the hackers were able to access.
Though the screenshot is heavily redacted, several electricity-sector experts contacted by E&E News said it could have come from an oil- or gas-fired cogeneration power plant.
Representatives from the electric power and nuclear industries pointed out that the attackers never managed to affect the North American grid.
Scott Aaronson, vice president of security and preparedness at the Edison Electric Institute, which represents major investor-owned utilities across the U.S., said the industry spread the word about the DHS report yesterday via a grid-focused information-sharing hub.
He called the two-way flow of intelligence between government and power utilities "vital to guarding the grid from all possible threats."
Bill Gross, director of incident preparedness at the Nuclear Energy Institute, pointed out that the technical details in the DHS bulletin were already available last year.
He said that while he appreciated the federal government's ongoing information-sharing efforts, the alert itself was unlikely to spur any major actions on the part of industry.
"Having an actor named; that doesn't really change what we do to protect our systems," he said.
E&E News first reported last year that multiple nuclear power generation sites had been hit by the hacking campaign, though nuclear safety was not affected (Energywire, June 27, 2017).
The New York Times later reported that Wolf Creek Nuclear Operating Corp., based out of Kansas, fell into the hackers' crosshairs.
Gross declined to speculate on what, if anything, may have been stolen from nuclear power companies' corporate networks, but he pointed out that the highest-risk "safeguards" information would be kept isolated from administrative computers.
"Certainly, the protective measures that we have in place preclude the types of attacks that were described in the bulletin today," he said in an interview. "There's really no digital pathway into the [nuclear] plant."
Several U.S. lawmakers welcomed the Trump administration's efforts to clamp down on documented Russian aggression in cyberspace.
Rep. Michael McCaul (R-Texas), chairman of the House Homeland Security Committee, commended the Trump administration for "sending a message that we will respond when attacked," noting that "we can no longer tolerate Russia's actions that harm the United States and its allies through cyberspace."
Democratic lawmakers were less effusive, questioning why it took so long to call out Russia's alleged behavior.
"A year ago yesterday, I called for a Russian cyber threat assessment to our grid," Sen. Maria Cantwell (D-Wash.) said in a statement yesterday, noting that she was long met with "deafening silence" from Trump (E&E News PM, March 15). "I hope today's belated response is the first step in a robust and aggressive strategy to protect our critical infrastructure."
In Moscow, Deputy Foreign Minister Sergei Ryabkov told the state-owned Tass news agency that Russia plans to retaliate with its own set of sanctions. He called the U.S. accusations "groundless."
Russian officials toed a similar line after several nations, including the United Kingdom and the U.S., accused Moscow of orchestrating a devastating "ransomware" cyberattack on Ukraine last year (Energywire, Feb. 16). The "NotPetya" worm, which the White House called "the most destructive and costly cyber-attack in history," spread quickly beyond its initial targets and locked up computers at major shipping and chemical firms, causing hundreds of millions of dollars in damages.
Kremlin spokesman Dmitry Peskov called those findings "nothing more than the continuation of the Russophobic campaign lacking any evidence."
The Department of Energy said yesterday that the DHS and FBI alert underscores the growing threat from hackers.
Last month, Energy Secretary Rick Perry outlined plans to restructure a key electric reliability office at DOE, spinning off a stand-alone agency devoted to cybersecurity issues.
"DOE has worked closely with government partners and energy sector asset owners to help ensure attempts failed or were stopped," Perry said in a statement following yesterday's alert. "This event demonstrates exactly why I am creating an Office of Cyber Security and Emergency Response. It is crucial for the DOE to consolidate and strengthen our efforts to combat the growing nefarious cyber threats we face."
Nevertheless, the Trump administration's governmentwide cybersecurity defenses may not be adequately coordinated to face growing cyberthreats, Perry and Rep. Mike Simpson (R-Idaho), chairman of a House Appropriations subcommittee, agreed yesterday.
Perry was testifying on DOE's fiscal 2018 budget proposal when Simpson, who heads the Energy and Water Development and Related Agencies Appropriations Subcommittee, turned the conversation to the cyberthreat.
A cyberattack "could attack and destroy your economy, and you may not know where it came from," Simpson said. "It is scary business. I think that is our biggest threat."
Simpson added, "I think we're attacking it department-wise," indicating DOE, "but I'm not sure if we're attacking it government-wise."
Simpson said he would like to be able to appropriate money for cyberdefense in one place and know that it was well-used.
Perry said the reorganization of DOE's cyber efforts, proposed in the 2018 budget plan, was an attempt to coordinate and centralize the department's efforts. The overall responsibility for cyberdefenses in the civilian sector belongs to the DHS, he noted.
"I will tell you that I'm not confident the federal government has a broad strategy in place that is not duplicating, or [the] least duplicative that it can be," Perry said.
Reporters Peter Behr and Hannah Northey contributed.