- The attackers targeted employees of third-party vendors to work their way up to larger power companies.
- "They got to the point where they could have thrown switches," officials said.
Russia-linked hackers managed to infiltrate the control rooms of US electric utilities in an ongoing campaign, potentially giving them the ability to cause blackouts, officials said. Department of Homeland Security (DHS) officials told the Wall Street Journal that hackers working for state-sponsored hacking outfit Dragonfly or Energetic Bear were able to penetrate ulilities' air-gapped or isolated networks by first hacking networks belonging to third-party vendors that had relationships with the power companies.
The attackers used conventional tools like spear-phishing emails and watering-hole attacks to trick targeted victims into divulging their login credentials. The stolen employee credentials are then used to infiltrate vendors' corporate networks.
The hackers then shifted focus towards stealing credentials for direct access to the utility networks and gaining enough information about how the utility networks are configured, related equipment are used and facility operations controlled.
According to Jonathan Homer, chief of industrial-control-system analysis for DHS, the attackers aimed to blend in and disguise themselves as "the people who touch these systems on a daily basis" to evade detection.
Officials said the hackers were able to infiltrate networks to the point where they could have disrupted power service and even cause blackouts.
"They got to the point where they could have thrown switches," Homer said.
Officials said the campaign dates back to at least the spring of 2016 and is likely ongoing. The campaign focuses on networks belonging to smaller commercial facilities with likely lax cybersecurity budgets and protocol in order to gain access to larger energy companies. It is still likely continuing and has already claimed "hundreds of victims" so far.
The DHS did not disclose which companies have been targeted and victimized by the hackers. However, they noted that the firms may not know they had been compromised since the attacks used legitimate employee credentials to gain access to the networks.
Uptick in critical infrastructure attacks
The newly disclosed details comes as cyberattacks targeting critical infrastructure and utility companies continue have continued to ramp up in recent years. The DHS has been warning that the US electric grid is being targeted by Russian hackers as far back as 2014.
In 2015 and 2016, Ukraine's electric grid suffered cyber attacks that led to massive outages across swathes of the country. The first-of-its-kind hacks represented a dangerous advancement in attacks targeting critical infrastructure and set a precedent for the security of power grids worldwide. Investigators accused Russia-based hackers of carrying out the Ukraine assault while the Kremlin denied any involvement.