The Department of Homeland Security has formally accused Russian government hackers of a massive, sophisticated, and multipronged attempt to infiltrate the US power grid.
The campaign began as early as 2016, according to a technical alert that the Trump administration made reference to Thursday in a Treasury Department statement about new Russian sanctions.
The alert did not name the nuclear and critical manufacturing targets that it said the hackers had targeted. But it did attribute those attacks to Russia — at first.
The DHS alert was released as Treasury Secretary Steven Mnuchin was announcing new sanctions against 19 Russians allegedly involved in cyberattacks on the US, including 13 whom special counsel Robert Mueller indicted last month for meddling in the 2016 election. The DHS alert was intended to complement the sanctions, Mnuchin said.
DHS’s Computer Emergency Readiness Team, known as US-CERT, regularly issues technical warnings describing details of an ongoing or recent attack and how to best guard against them, and it had done so in October about the attacks. But Thursday's alert was highly unusual because it blamed a foreign adversary.
“It’s a very good report. It’s well-written — a lot of good technical information, but for the energy community, there’s really nothing new here,” said Sergio Caltagirone, director of threat intelligence at Dragos, a cybersecurity company that had previously published extensive technical details about the attacks, though per company policy did not attribute them to foreign governments.
“The really key element here that’s good is US-CERT has detailed publicly the operations the adversary did to gain initial access to the network,” he said.
A primary way that the Russian hackers operated, the report says, is via “watering hole” attacks: hacking websites of third-party companies involved in the energy industry, like software companies or trade publications, and pirating their contacts into the network.
"In order to gain access to these control systems, you need generally to compromise an engineer with the credentials necessary to get there," Caltagirone said.
The idea of a foreign government taking down the US power grid with a cyberattack is a particularly scary subject for many federal officials.
In 2016, in one of the rare times that the Department of Justice has indicted foreign government hackers unlikely to ever see a US jail — a tactic known as “name and shame” — it accused an Iranian government contractor, Hamid Firoozi, of gaining access to the controls of the Bowman Dam in Rye, New York. That indictment was in part spurred by the government’s desire to send a strong message to anyone thinking of compromising the US power grid, according to a former Obama senior official.
Kevin Collier is a cybersecurity correspondent for BuzzFeed News and is based in New York.
Contact Kevin Collier at firstname.lastname@example.org.
Got a confidential tip? Submit it here.