Russian hackers were able to breach the control rooms of hundreds of U.S. utilities last year in a campaign that is likely ongoing, the Wall Street Journal reported Monday.
According to the Department of Homeland Security, the hackers work for a state-sponsored group identified as Dragonfly or Energetic Bear and could’ve disrupted power and caused blackouts.
“They got to the point where they could have thrown switches,” Jonathan Homer, chief of industrial-control-system analysis for DHS, told the Journal.
The Russian hackers, who worked for a shadowy state-sponsored group previously identified as Dragonfly or Energetic Bear, broke into supposedly secure, “air-gapped” or isolated networks owned by utilities with relative ease by first penetrating the networks of key vendors who had trusted relationships with the power companies, said officials at the Department of Homeland Security. […]
The attackers began by using conventional tools—spear-phishing emails and watering-hole attacks, which trick victims into entering their passwords on spoofed websites—to compromise the corporate networks of suppliers, many of whom were smaller companies without big budgets for cybersecurity.
Once inside the vendor networks, they pivoted to their real focus: the utilities. It was a relatively easy process, in many cases, for them to steal credentials from vendors and gain direct access to utility networks.
Then they began stealing confidential information. For example, the hackers vacuumed up information showing how utility networks were configured, what equipment was in use and how it was controlled. They also familiarized themselves with how the facilities were supposed to work, because attackers “have to learn how to take the normal and make it abnormal” to cause disruptions, said Mr. Homer.
Their goal, he said: to disguise themselves as “the people who touch these systems on a daily basis.” (WSJ)
The hackers used the credentials of current employees to penetrate the networks so some companies may still be unaware they were compromised.
“They’ve been intruding into our networks and are positioning themselves for a limited or widespread attack,” Michael Carpenter, former deputy assistant secretary of defense, told the Journal. “They are waging a covert war on the West.”
Russia has, of course, denied penetrating U.S. critical infrastructure.