Threat Management, Critical Infrastructure Security, Threat Management, Threat Intelligence, Malware, Phishing

Reports: Feds issue alert after adversary breaches power plant business networks

Since May, foreign hackers have breached computer networks at 12 or more U.S. power plants, including some nuclear facilities, prompting the FBI and Department of Homeland Security to issue an urgent amber warning to utility companies, according to reports originating from Bloomberg and the New York Times.

Fortunately, the affected systems do not appear to be industrial control systems that operate the plants, as noted by the two federal agencies in a formal statement. “There is no indication of a threat to public safety, as any potential impact appears to be limited to administrative and business networks," the statement reads. "In furtherance of public-private partnerships, the FBI and DHS routinely advise private industry of various cyber threat indicators in order to help systems administrators guard against the actions of persistent cyber criminals."

A tweet today from the Nuclear Energy Institute would seem to address concerns stemming from the joint report: "Nuclear reactors are wholly disconnected from the Internet, so hackers can't impact operations or safety systems," the tweet reads.

Citing current and former U.S. officials, the news reports point to Russia as the prime suspect behind the cyber intrusions. Russia is already heavily suspected in the Sandworm and Energetic Bear APT attacks that have disrupted the Ukrainian power grid in recent years. And while it's possible that the attackers could just be attempting to snoop on U.S. industrial operations, the bigger fear is that they might one day attempt to similarly cause power outages or trigger an emergency.

In its report, the Times referenced a pair individuals familiar with the investigation who said the hackers' techniques resembled the work of the Energetic Bear hacking group. According to the joint FBI-DHS report, obtained by the Times, the culprits reportedly sent targeted email messages containing malicious attachments disguised as job resumes to senior industrial control engineers at utilities companies. The fake resumes were actually Microsoft Word documents with malicious code used to steal credentials, which in turn could be leveraged for greater network access. The adversary reportedly also conducted watering hole attacks and man-in-the-middle attacks against their targets.

The reports identified one target as the Wolf Creek Nuclear Operating Corporation, which operates a power plant in Kansas. Bloomberg reported that another victim was an unidentified company that manufactures control systems for power industry equipment.

These revelations only heighten the infosec community's scrutiny of Russia and its efforts to hack U.S. interests and influence the 2016 election. President Donald Trump met with Russian President Vladimir Putin today at the G20 Summit in Germany, during which time they reportedly discussed the election controversy.

In a newly released Black Hat USA survey of 580 recent conference attendees, 60 percent of information security professionals said they believe that a successful cyberattack on U.S. critical infrastructure will take place within the next two years. Only 26 percent expressed confidence that U.S. government and defense forces are properly equipped and trained to respond appropriately.

James Scott, senior fellow at the Institute for Critical Infrastructure Technology (ICIT), said that the findings coming out of the DHS-FBI report are actually "nothing new," as Russia has been "parasitically entwined in our nation's grid for quite some time."

"We should not be surprised to learn of these targeted attempts by advanced attackers on our power stations," said Richard Henderson, global security strategist, at Absolute Software Corporation. "In fact, we should appreciate that this is the new reality of wide-scale interconnectivity and just how far the Internet has reached in the past couple of decades. Thankfully, it appears that the targets in question have taken significant steps to isolate their ICS/SCADA environments from their general computing infrastructure, which would make a remote attack on the stations themselves significantly more difficult for a well-funded attacker."

"The notion that there may be nation-state or rogue actors who have been resident in the networks of nuclear facilities, electrical grids, and dams isn't far-fetched," said Ken Spinner, VP of field engineering at Varonis Systems. "Many of these infrastructure providers are relying on outdated security systems with limited detection capabilities. The concern over state-sponsored hackers using malware to attack critical infrastructure is no longer theoretical. We got a glimpse of what's possible when the Ukraine's power grid was partially disrupted..."

Bradley Barth

As director of community content at CyberRisk Alliance, Bradley Barth develops content for SC Media online conferences and events, as well as video/multimedia projects. For nearly six years, he wrote and reported for SC Media as deputy editor and, before that, senior reporter. He was previously a program executive with the tech-focused PR firm Voxus. Past journalistic experience includes stints as business editor at Executive Technology, a staff writer at New York Sportscene and a freelance journalist covering travel and entertainment. In his spare time, Bradley also writes screenplays.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.