Russian Hacking Campaign Targeting U.S. Electric Utilities – Info CCrime

Homeland security officials said that individuals working for Russia are currently targeting electric utilities located in the United States.

The Department of Homeland Security told The Wall Street Journal that persons working for a state-sponsored hacking group called “Dragonfly” or “Energetic Bear” compromised “hundreds of victims” in 2017. They did so through the use of spear-phishing techniques and watering hole attacks designed to steal users’ passwords. With those credentials, they gained access to the networks of suppliers of many U.S. electric utilities. They then stole information that allowed them to infiltrate the utilities themselves. Once inside, they reportedly had the ability to cause blackouts, meaning they would have had access to the control centers themselves.

“They got to the point where they could have thrown switches” said Jonathan Homer, chief of industrial-control-system analysis for DHS.

But Robert M. Lee, CEO and Founder of the industrial cyber security company Dragos, Inc., said on Twitter that some of the language used by the DHS to describe the campaign is misleading.

And language such as “throwing switches” and noting it would cause “black outs” is in no way representative of what was seen in these intrusions. In these cases the adversary was taking screenshots of HMIs.

— Robert M. Lee (@RobertMLee) July 24, 2018

This isn’t the first time homeland security officials warned of Russian actors targeting power companies. In March 2018, DHS and the Federal Bureau of Investigation (FBI) publicly blamed Russia for attempting to hack U.S. energy infrastructure. They said that campaign also attempted to compromise suppliers’ networks before hacking into the power companies themselves.

Investigators cited by The Wall Street Journal said it’s unclear whether Dragonfly conducted this latest campaign in preparation for a larger attack. As a result, DHS said it intends to hold four briefings and look for any signs of the threat group automating its attacks.

Those officials said this campaign could still be ongoing.

In the meantime, Lee said it’s crucial that offensives such as this instance receive the attention they deserve.

So in short, please take cyber threats to industrial infrastructure serious. They are getting far more aggressive and numerous. But let’s not use word choices that mislead and hype up the issue. It’s bad enough without added fear.

— Robert M. Lee (@RobertMLee) July 24, 2018

Industrial organizations in particular should look to these campaigns and consider investing in a solution that lets them monitor their networks for signs of trouble. Learn how Tripwire can help.