Russian hackers infiltrated U.S. electric utilities’ control rooms last year
Threats / Russian hackers infiltrated U.S. electric utilities’ control rooms last year
25 July 2018
The U.S. Department of Homeland Security has revealed that a group of Russian hackers successfully infiltrated the industrial control system of an electric generation firm last year while they were targeting hundreds of energy and non-energy companies in the country.
The Russian hackers achieved the breakthrough after they managed to successfully hack a network run by a third party vendor, and the control they gained allowed them to cause blackouts or to interfere with power supply. However, the Department of Homeland Security said that the infiltration would not have affected the larger grid.
“While hundreds of energy and non-energy companies were targeted, the incident where they gained access to the industrial control system was a very small generation asset that would not have had any impact on the larger grid if taken offline. Over the course of the past year as we continued to investigate the activity, we learned additional information which would be helpful to the industry in defending against this threat,” the department said.
An infiltration waiting to happen
Tim Erlin, VP of Product Management & Strategy at Tripwire, said that the Russian hackers could have gained control over the industrial control system for various purposes such as terrorism, for ransom, or as an educational exercise for future operations, adding that such an attack was simply waiting to happen.
“There have been warning signs that state-sponsored attacks on utilities were increasing. Some of these warnings were very public, like the Ukraine attack, and others were well-known inside the industry itself. The US electric grid isn’t one system with a consistent risk profile.
“It’s distributed across thousands of entities, operating independently. Distribution and independence means a variety of systems, risks, and defences. A widespread national outage is unlikely in such a system, but significant regional disruptions are certainly possible. It can be difficult to walk the line between hyperbole and appropriate concern.
He added that while it is impossible to define the potential damage of such an attack, it is important to understand that there’s more to be done defensively to limit the level of access Russian hackers have to such critical systems.
The Russian hackers are believed to be members of a well-known hacker group known as Dragonfly or Energetic Bear. According to Chris Doman, security researcher at AlienVault, the Department of Homeland Security released a detailed report on the activities of Dragonfly in March and the private sector has published a number of reports on them since 2012.
“I’m not aware of Dragonfly being responsible for any destructive attacks – just espionage. They also appear to have some interests outside of just the energy sector. They are distinct from another reportedly Russian group that is responsible for the blackouts in Ukraine, and has also previously been seen probing the grid in the US,” he said.
Attacks on industrial systems on the rise
This isn’t the first time that hackers have targeted critical industrial systems to cause chaos or to cripple normal life in enemy states. In December last year, security firm FireEye revealed that state-sponsored hackers used a specially created malware known as Triton to target the Triconex industrial safety technology which was used by Schneider Electric SE for emergency shutdown purposes.
Firstly, by attacking an SIS engineering workstation and causing a diagnostic failure, the hackers wanted to ensure great physical damage. Secondly, the attackers deployed Triton only after gaining access to the SIS system, indicating that they had pre-built and tested the tool in advance.
Considering that an SIS system monitors the status of industrial processes and brings a process back into a safe state after it reaches a hazardous state, compromising an organisation’s SIS system means compromising its performance as a whole and creating a crisis situation.
In the UK, a Freedom of Information request by security firm Corero Network Security revealed in May that around 70 percent of critical infrastructure organisations in the country suffered service outages in the last two years, with over 35% of all outages believed to have been caused by a cyber attack.
“Service outages and cyber attacks against national infrastructure have the potential to inflict significant, real-life disruption by preventing access to essential services such as power, transport, and the emergency services. The fact that so many infrastructure organisations have suffered from service outages points to an alarming lack of resilience within organisations that are critical to the functioning of UK society,” said Andrew Lloyd, President at Corero Network Security.
“Across all sectors, we are seeing a greater number of sophisticated and, when undefended, damaging cyber-attacks. Government Ministers and Agencies have reported that these attacks are increasingly believed to be the work of foreign governments seeking to cause political upheaval.
“The head of the National Cyber Security Centre has already warned that it is a matter of when, not if, the UK experiences a devastating cyber attack on its critical infrastructure. The study poses serious questions about the UK’s current capability to withstand such an attack,” he added.