Russian Hackers Extend Feelers into Power Grid

March 16, 2018


One urgent reason to move to a more distributed, islandable, resilient grid with back up battery power, is the increasing vulnerability of traditional electrical grids to attack.

Also, urgent reason to wonder what the Russians have on Donald Trump.

New York Times:

The Trump administration accused Russia on Thursday of engineering a series of cyberattacks that targeted American and European nuclear power plants and water and electric systems, and could have sabotaged or shut power plants off at will.

United States officials and private security firms saw the attacks as a signal by Moscow that it could disrupt the West’s critical facilities in the event of a conflict.

They said the strikes accelerated in late 2015, at the same time the Russian interference in the American election was underway. The attackers successfully had compromised some operators in North America and Europe by spring 2017, after President Trump was inaugurated.

In the following months, according to a Department of Homeland Security report issued on Thursday, Russian hackers made their way to machines with access to critical control systems at power plants that were not identified. The hackers never went so far as to sabotage or shut down the computer systems that guide the operations of the plants.

Still, new computer screenshots released by the Department of Homeland Security on Thursday made clear that Russian state hackers had the foothold they would have needed to manipulate or shut down power plants.

“We now have evidence they’re sitting on the machines, connected to industrial control infrastructure, that allow them to effectively turn the power off or affect sabotage,” said Eric Chien, a security technology director at Symantec, a digital security firm.

“From what we can see, they were there. They have the ability to shut the power off. All that’s missing is some political motivation,” Mr. Chien said.

American intelligence agencies were aware of the attacks for the past year and a half, and the Department of Homeland Security and the F.B.I. first issued urgent warnings to utility companies in June. On Thursday, both agencies offered new details as the Trump administration imposed sanctions against Russian individuals and organizations it accused of election meddling and “malicious cyberattacks.”

It was the first time the administration officially named Russia as the perpetrator of the assaults. And it marked the third time in recent months that the White House, departing from its usual reluctance to publicly reveal intelligence, blamed foreign government forces for attacks on infrastructure in the United States.

In December, the White House said North Korea had carried out the so-called WannaCry attack that in May paralyzed the British health system and placed ransomware in computers in schools, businesses and homes across the world. Last month, it accused Russia of being behind the NotPetya attack against Ukraine last June, the largest in a series of cyberattacks on Ukraine to date, paralyzing the country’s government agencies and financial systems.

But the penalties have been light. So far, Mr. Trump has said little to nothing about the Russian role in those attacks.

The groups that conducted the energy attacks, which are linked to Russian intelligence agencies, appear to be different from the two hacking groups that were involved in the election interference.

That would suggest that at least three separate Russian cyberoperations were underway simultaneously. One focused on stealing documents from the Democratic National Committee and other political groups. Another, by a St. Petersburg “troll farm” known as the Internet Research Agency, used social media to sow discord and division. A third effort sought to burrow into the infrastructure of American and European nations.

For years, American intelligence officials tracked a number of Russian state-sponsored hacking units as they successfully penetrated the computer networks of critical infrastructure operators across North America and Europe, including in Ukraine.

Some of the units worked inside Russia’s Federal Security Service, the K.G.B. successor known by its Russian acronym, F.S.B.; others were embedded in the Russian military intelligence agency, known as the G.R.U. Still others were made up of Russian contractors working at the behest of Moscow.

Russian cyberattacks surged last year, starting three months after Mr. Trump took office.

American officials and private cybersecurity experts uncovered a series of Russian attacks aimed at the energy, water and aviation sectors and critical manufacturing, including nuclear plants, in the United States and Europe. In its urgent report in June, the Department of Homeland Security and the F.B.I. notified operators about the attacks but stopped short of identifying Russia as the culprit.


Russian hackers are conducting a broad assault on the U.S. electric grid, water processing plants, air transportation facilities and other targets in rolling attacks on some of the country’s most sensitive infrastructure, U.S. government officials said Thursday.

The announcement was the first official confirmation that Russian hackers have taken aim at facilities on which hundreds of millions of Americans depend for basic services. Bloomberg News reported in July that Russian hackers had breached more than a dozen power plants in seven states, an aggressive campaign that has since expanded to dozens of states, according to a person familiar with the investigation.

“Since at least March 2016, Russian government cyber actors” have targeted “government entities and multiple U.S. critical infrastructure sectors,” including those of energy, nuclear, water and aviation, according to an alert issued Thursday by the Department of Homeland Security and Federal Bureau of Investigation.

Critical manufacturing sectors and commercial facilities also have been targeted by the ongoing “multi-stage intrusion campaign by Russian government cyber actors.”

Cyber-attacks are “literally happening hundreds of thousands of times a day,” Energy Secretary Rick Perry told lawmakers during a hearing Thursday. “The warfare that goes on in the cyberspace is real, it’s serious, and we must lead the world.”

Separately Thursday, the U.S. sanctioned a St. Petersburg-based “troll farm,” two Russian intelligence services, a close ally of Russian President Vladimir Putin and other Russian citizens and businesses indicted by Special Counsel Robert Mueller on charges of meddling with the 2016 U.S. presidential election.

A joint analysis by the FBI and the Department of Homeland Security described the hackers as extremely sophisticated, in some cases first breaching suppliers and third-party vendors before hopping from those networks to their ultimate target. The government’s report did not say how successful the attacks were.

The Conversation:

On December 23, 2015, two days before Christmas, the power grid in the Ivano-Frankivsk region of Ukraine went down for a reported six hours, leaving about half the homes in the region with a population of 1.4 million without power, according to the Ukrainian news media outlet TSN.

It reported that the cause of the power outage was a “hacker attack” utilizing a “virus.” Outages were caused when substations – devices that route power and change voltages – were disconnected from the grid, TSN said.

There have been a handful of documented attacks on the power grid and control systems of energy systems, such as oil refineries. But this cyberattack in Ukraine counts as only the second or third to successfully derail power delivery using a software-based attack.

Because of its success, the incident has sent shock waves through cybersecurity circles. How was this attack carried out? And could something similar happen in other countries?

The Ukrainian power grid has several attributes that cause some special concern.

The bulk of the power production at any time is provided by nuclear power plants, which provide most of the steady “baseload” power to supply electricity through most of the day.

To meet fluctuations in demand – for instance, increases in power use in the morning as people begin their day – grid operators in Ukraine primarily rely on coal power plants. They do not have many avenues to import power from other countries to meet spikes and dips in demand.

This situation means that if an cyberattack causes a power outage, Ukraine grid operators may not be able to respond rapidly enough and export an excess in the flow of power, which would lead to grid instabilities and the need to shut down nuclear reactors.

There is also the issue of cooling of reactors in the event of a power outage. The cooling pumps in the nuclear reactors in Ukraine are dependent on AC power input from the grid, thereby making them susceptible in the event that backup diesel generators cannot be started.

Broader concerns

Could this happen in the West? In short, yes. U.S. utilities use software products from various major vendors which have been the targets of a Sandworm BlackEnergy campaign.

Thus far, there doesn’t seem to have been any financial benefit from the attack. What’s more, when attackers use malware, they expose their methodology, which makes it possible for security people to develop protections for that line of attack. So we have to wonder what they had to gain from the exercise.

If they have nothing to gain in the short term, like robbing banks while the grid is down, did they gain valuable experience for their next, more effective attack?

The ability to hack into a utility to throw switches (breakers) at substations, as was done in Ukraine, opens up the possibility of more serious types of attacks, as was demonstrated by the Aurora Test. In that controlled experiment, circuit breakers associated with a generator were opened and closed using software in a way that resulted in permanent damage to equipment.

Sara Kendzior in Fast Company:

On June 13, 2017, Attorney General Jeff Sessions testified to the Senate Intelligence committee about Russian interference in the 2016 presidential election. After fielding hours of questions about his knowledge of the plot, Sessions was greeted by an abrupt change in topic from Senator John McCain. “Quietly, the Kremlin has been trying to map the United States telecommunications infrastructure,” McCain announced, and described a series of alarming moves, including Russian spies monitoring the fiber optic network in Kansas and Russia’s creation of “a cyber weapon that can disrupt the United States power grids and telecommunications infrastructure.”

When McCain asked if Sessions had a strategy to counter Russia’s attacks, Sessions admitted they did not.

In a normal year, McCain’s inquiries about documented, dangerous threats to U.S. infrastructure would have dominated the news. His concerns are well founded: in recent years, Ukraine’s power grid has been repeatedly hacked in what cybersecurity experts believe was part a test run for the United States. Russian hackers have also hacked many centers of U.S. power, including the State Department, the White House, and everyone with a Yahoo email address in 2014, the Department of Defense in 2015, and, of course, the Democratic National Committee, Republican National Committeestate and local voter databases, and personal email accounts of various US officials in 2016

In September, security firm Symantec said it had notified more than 100 energy companies in the U.S., Turkey, Switzerland, Afghanistan, and elsewhere about Dragonfly 2.0—a set of intrusions into industrial and energy-related companies suspected to originate in Russia. Using targeted phishing emails and compromised websites designed to capture users’ credentials, the hackers gained access in some cases not just to front-office networks but to “operational machines.” As a Symantec security analyst told Fast Company, “We’re talking about machines that are controlling elements that are plugged into the power grid.” A month later, the Dept. of Homeland Security and FBI warned critical infrastructure providers in nuclear, energy, and other key sectors about the ongoing attacks, noting that “threat actors are actively pursuing their ultimate objectives over a long-term campaign.”

Despite the increasingly clarity and severity of Russia’s intentions, Trump said in July after a meeting at the G20 that he believes Vladimir Putin “that when he tells me [Russia didn’t carry out cyberattacks ahead of the U.S. election], he means it.” (He later stated “I am with our [intelligence] agencies, especially as currently constituted with the leadership.”) And while his administration has done little in response, he did offer to partner with our attackers. After the G20, Trump tweeted: “Putin & I discussed forming an impenetrable Cyber Security unit so that election hacking, & many other negative things, will be guarded.” Kremlin officials later verified that, yes, this actually happened.

While this plan has thankfully not come to fruition (that we know of), the fact that it was even floated showcases the fundamental obstacle in keeping U.S. infrastructure protected from foreign threats. Trump’s deference to the Kremlin–one of his few unwavering stances over the decades—remains even after years of Russian hacks, likely in part because Russian hacks helped put him into office.

As a result, Americans remain unprotected, and the true extent of Kremlin leverage over the U.S. government remains unknown. In August, a quarter of the president’s National Infrastructure Advisory Council quit their posts, saying that the president had devoted “insufficient attention” to cybersecurity threats to critical infrastructure. A report on Russian interference released this week by Senate Democrats highlighted “President Trump’s refusal to publicly acknowledge the threat posed by the Russian government,” and offers over 30 recommendations to protect the country’s elections and infrastructure, including new sanctions to punish states that initiate cyberattacks and an international summit meeting focused on such threats.

Though Trump signed an executive order vowing stronger cybersecurity in May, the administration did nothing substantial until December, when it released a document noting the threats to infrastructure and vaguely vowing that hackers from a number of countries–including China, North Korea, Iran, and Russia–will be defeated. Notably, in the document, elections were no longer counted as part of “critical infrastructure,” despite President Obama designating them as such shortly before he left office–another indicator that the Trump administration’s unwillingness to take on Russian hacks is marred by self-protection and partisanship.




2 Responses to “Russian Hackers Extend Feelers into Power Grid”

  1. And it wasn’t the US security that originally picked up on the hackers, it was the Europeans. You know the bods that were watching Cozy Bear and watched them hack the Dems and the State Department etc etc and warned the US.

    Every country’s security is testing other countries especially their partners with who’m they share critical information.Pity US systems are old as the GOP refused funds to upgrade, pork barrelling and looking after their funders was far more important , or maybe the brown paper bags were full of Roubles

Leave a Reply

Please log in using one of these methods to post your comment: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: