U.S. Government Accuses Russia of Hacking the Power Grid

A joint Department of Homeland Security and Federal Bureau of Investigation analysis finds evidence that Russia has been actively targeting critical infrastructure in the U.S with cyber-attacks. What should grid operators do in the U.S. to limit risks?

energy utility security

The U.S. Government warned on March 15 that Russian government hackers have taken direct aim at the U.S. power grid, as well as other critical manufacturing sectors.

The allegations about Russian hacking of the U.S. power grid comes as a result of a joint Department of Homeland Security (DHS) and Federal Bureau of Investigation (FBI) analysis effort. According to the analysis, Russian hackers have been active since at least March 2016, with the aim of compromising organizational networks in industrial controls systems.

"DHS and FBI characterize this activity as a multi-stage intrusion campaign by Russian government cyber actors who targeted small commercial facilities’ networks where they staged malware, conducted spear phishing, and gained remote access into energy sector networks," a US-CERT advisory states. "After obtaining access, the Russian government cyber actors conducted network reconnaissance, moved laterally, and collected information pertaining to Industrial Control Systems (ICS)."

The U.S. Department of the Treasury also cited the Russian cyber-attacker activities as part of the rationale behind new sanctions directed at multiple Russian individuals and entities announced on March 15.

"The Administration is confronting and countering malign Russian cyber-activity, including their attempted interference in U.S. elections, destructive cyber-attacks, and intrusions targeting critical infrastructure," Treasury Secretary Steven Mnuchin stated.

DHS and the FBI aren't the only organizations that have noticed the Russian activities either. In its alert, US-CERT noted the Dragonfly campaign which security firm Symantec reported on in Sept. 2017, is part of Russia's efforts to attack the energy sector. According to Symantec, Dragonfly attacked energy companies in the United States, Turkey and Switzerland. 

Industry Reaction

Security experts contacted by eWEEK were not surprised by U.S. Government claims of Russian cyber-attacks against the critical infrastructure.

"Based on the preponderance of publicly-identified campaigns in the last year such as DragonFly, NotPetya, WannaCry, Crash Override and Black Energy 2.0, we know that threat actors, including Russia, are attempting to target U.S. critical infrastructure," Emily Miller, Director of National Security and Critical Infrastructure Programs at Mocana Corporation, told eWEEK.

Galina Antova, co-founder of ICS security firm Claroty noted that the U.S. Government has been very careful historically in attribution of nation state cyber-attacks. She added that DHS and private threat intelligence companies have been sounding the alarm about a sustained and determined Russian campaign against U.S. and European grids for quite some time, including the SandWorm team and BlackEnergy 3 malware, both believed to be of Russian origin.

Next Steps

Antova suggests that calling out nation state actors when the evidence is reliable is a first good step—especially when state actors cross '"red lines." 

"Attacking the U.S. grid operators and shutting off power in Ukraine should be red lines that draw a strong rebuke," Antova said. "In addition to setting security standards and sharing intelligence with the grid, other critical infrastructure owners/operators, the government can be helpful in supporting the training of industrial cyber-security practitioners and providing direct funding, tax breaks, subsidies or rate relief enabling owners and operators to enhance their security posture."

Looking beyond just attribution, Bryan Singer, Director of Security Services at IOActive, commented that where an attack is coming from is somewhat less important than the fact that the attack has occurred.  

"If there is evidence systems have been compromised, utilities and companies should be enacting their incident response plans to isolate and remediate cyber threats, and then follow up with cyber-vulnerability assessments and corrective action to prevent future breaches," Singer told eWEEK.

Singer also noted that critical infrastructure operators in the U.S. should be doing the same things to defend against Russian hackers that they should be doing to prevent against any cyber-attack, no matter the source.  

"Build defensive protections, build detective controls, practice incident response, conduct vulnerability assessments, and if indicators of compromise are found, simultaneously work to remove the offending threat, and fix the holes that were used to gain access to the system," Singer said.

Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.

Sean Michael Kerner

Sean Michael Kerner

Sean Michael Kerner is an Internet consultant, strategist, and contributor to several leading IT business web sites.