By Stephen Jewkes and Oleg Vukmanovic
MILAN/LONDON (Reuters) - Suspected Russia-backed hackers have launched exploratory cyber attacks against the energy networks of the Baltic states, sources said, raising security concerns inside the West's main military alliance, NATO.
Lithuania, Latvia and Estonia, all members of NATO and the European Union, are on the political front line of tensions between the West and Moscow. The Baltics are locked into Russia's power network but plan to synchronize their grids with the EU.
Interviews with more than a dozen law-enforcement and private investigators, insiders and utility officials show hackers have quietly made incursions into Baltic networks over the past two years, in parallel with more serious attacks in Ukraine that plunged swathes of that country into darkness.
They say Russian state organizations are suspected of being behind the campaigns.
Reuters could not independently verify the sources' allegations.
At the end of 2015, hackers attacked an Internet gateway used to control a Baltic electricity grid, disrupting operations but not causing blackouts, a source familiar with the matter said. He declined to give details due to ongoing private investigations into the incident, which has not been previously reported.
The attack was a distributed denial of service (DDoS), where Internet gateways are bombarded with large amounts of data, a blunt but sometimes effective technique in an age when energy networks are being modernized with digital technology.
The source also said suspected Russia-backed hackers had targeted a Baltic petrol-distribution system at around the same time in an unsuccessful denial of service attack that aimed to cause widespread disruption in petrol deliveries.
The system coordinates deliveries from storage tanks to a network of petrol stations, the source added.
In a separate malware attack on another undisclosed Baltic grid, also around end-2015, hackers targeted network communication devices, serial-to-ethernet converters (STEC), which link sub-stations to central control, two other sources said. The attack did not cause service disruption, they added.
Though these three incidents date back 18 months or so, cyber security consultants are still investigating some of them. They say hackers can remain dormant and undetected inside systems. In Ukraine, hackers had infiltrated the grids there for about six months before the lights went out in December 2015, consultants said.
STECs were also targeted in Ukraine by the so-called Sandworm team, a Russia-backed group that had attacked energy companies in Western Europe and the United States in a campaign in 2014, several sources said.
The two sources with knowledge of the STEC attacks said they had detected the presence of Sandworm in the Baltics, but they did not give evidence for their suspicion. One of them said Sandworm was still active in the Baltic states.
"It's the same kind of slander as all the other similar accusations," Kremlin spokesman Dmitry Peskov said when asked by Reuters about the possible hacks.
Russia has never cut power flows to the Baltic states or threatened to do so.
The NATO sources and utility officials said the Baltic attacks raised concerns that hackers could disable the region's energy networks just as they had done in Ukraine, where government troops have been battling pro-Russian separatists since 2014.
The first Ukraine attack caused crippling blackouts in some parts of the country lasting several hours.
NATO and cyber security experts believe hackers are testing the Baltic energy networks for weaknesses, becoming familiar with how they are controlled in order to be able to shut them down at will.
"On a daily basis there are DDoS attacks designed to probe network architecture, so it could well be possible that something (serious) could take place later on," a Brussels-based NATO official said, requesting anonymity because he was not authorized to speak publicly on the matter.
Lithuanian grid operator Litgrid said attacks on IT systems and the grid were constant but it had not seen DDoS attacks.
Litgrid maintains constant monitoring and runs regular tests to detect any cyber break-ins as part of its network defenses, the utility said in an emailed statement.
Latvia's grid operator, AST, said it had not seen incidents in the last year. Estonia's Elering said only that it had not seen any attacks at the time of the Ukraine incursions in 2015.
A security official based in the Baltics said cyber attacks usually increased when Russia carried out large military exercises near its borders with the Baltic states.
Last month, NATO helped stage a cyber-security exercise in Estonia in which hundreds of cyber experts from around the world competed in teams to protect a fictitious military air base from attacks on, among other things, a power grid system.
In its 2017 national security threat assessment, Lithuania said hackers had launched large-scale DDoS attacks in April last year against state ministries and institutions, Vilnius airport, media and "other important Lithuanian cyber infrastructure".
"A major part of executed cyber attacks against the state sector of Lithuania in 2016 were associated with Russian intelligence," the report said, without giving details.
Lithuania's state-owned energy holding group, Lietuvos Energija, said it had encountered untraceable attacks like zero-day viruses, among others, which exploit hidden vulnerabilities. Lietuvos's businesses include power distribution.
"We do assume that we have adversaries who want to harm us," said Liudas Alisauskas, information security chief at Lietuvos.
Lietuvos runs drills to prepare for cyber attacks, including switching to manual operation of the grid, Alisauskas said.
In Ukraine, operators of older and technologically simpler networks were able to send workers out into the field to manually bring grids back up. This would be more difficult to achieve in modern, digitized networks, cyber consultants said.
(Additional reporting by Andrius Sytas in VILNIUS, David Mardiste in TALLINN and Jack Stubbs in MOSCOW; Editing by Mark Bendeich and Andrew Roche)