Hackers working for Russia claimed “hundreds of victims” last year in a major, long-running campaign that enabled them to gain control over some U.S. electric utilities, where they could have caused blackouts, the Wall Street Journal is reporting.
Citing officials at the U.S. Department of Homeland Security, the Journal reported on July 23 that the Russian hacking campaign has likely continued this year and involves a state-sponsored group known as Dragonfly or Energetic Bear.
The hackers broke into supposedly secure networks owned by utilities with relative ease by first penetrating the networks of vendors who had trusted relationships with the power companies, the Journal reported.
“They got to the point where they could have thrown switches” and disrupted power flows, Jonathan Homer, a department analyst, told the Journal.
The department has been warning utility executives with security clearances about the Russian threat to critical infrastructure since 2014.
But on July 23, the department gave out detailed information about the intrusions publicly for the first time at an unclassified briefing for the industry. It did not provide the names of alleged victims, but said there were "hundreds."
It also said some companies still may not know they were compromised, because the attacks used credentials of actual employees to get inside utility networks, potentially making the intrusions more difficult to detect.
“They’ve been intruding into our networks and are positioning themselves for a limited or widespread attack,” Michael Carpenter, former deputy assistant secretary of defense, who now is a senior director at the Penn Biden Center at the University of Pennsylvania, told the Journal. “They are waging a covert war on the West.”
Russia has denied targeting critical infrastructure.
Homer told the Journal that the longrunning cyberattack, which surfaced in the spring of 2016 and continued throughout 2017, exploited relationships that utilities have with vendors who have special access to update software, run diagnostics on equipment, and perform other services that are needed to keep millions of pieces of gear in working order.
He said the attackers began by using conventional tools — spearphishing e-mails and watering-hole attacks, which trick victims into entering their passwords on spoofed websites — to compromise the corporate networks of suppliers, many of whom were small companies without big budgets for cybersecurity.
Once inside the vendor networks, they pivoted to their real focus: the utilities, officials told the Journal. They said it was a relatively easy process, in many cases, for the intruders to steal credentials from vendors and gain direct access to utility networks.
Then they began stealing confidential information. For example, the hackers vacuumed up information showing how utility networks were configured, what equipment was in use and how it was controlled.
The hackers also familiarized themselves with how the facilities were supposed to work, because attackers “have to learn how to take the normal and make it abnormal” to cause disruptions, Homer told the Journal.
The department said it plans three more industry briefings and hopes to determine whether there are any new network infections, and whether the hackers have figured out ways to defeat security enhancements like multifactor authentication.
In addition, the department is looking for evidence that the Russian hackers are automating their attacks, which investigators worry could presage a large increase in hacking efforts.
It isn’t yet clear whether the hackers used their access to prepare for some future, devastating blow to the U.S. electric grid, investigators told the Journal.
With reporting by the Wall Street Journal, Reuters, and CNBC