The Department of Homeland Security (DHS) and the Federal Bureau of Investigation (FBI) jointly issued an alert last March that Russian cyber hackers had gained access to U.S. critical infrastructure and could have (but didn’t) shut down vital systems such as the power grid.
The full magnitude of the operation wasn’t known at the time. Despite U.S. intelligence knowing since 2015 that state-sponsored Russian hackers were targeting critical infrastructure facilities, the official confirmation carried significant weight because it didn’t occur behind closed doors in a classified situation. Still, not much was known other than it appeared to be a reconnaissance mission to gather information and not disable operations, at least yet.
That Was Huge
Now DHS is warning that the infiltration is much larger than first thought. Russian hackers invaded the industrial control systems (ICS) of hundreds of U.S. utilities last year, rather than the the few dozen earlier believed, the Wall Street Journal reported this week.
Officials surmise it is the work of state-sponsored DragonFly or Energetic Bear hackers but that’s no surprise. Security provider Symantec had six months earlier picked up signs that Dragonfly may be preparing to launch new cyberattacks against energy companies, utilities and power grids in Europe and North America.
So far, the DHS has not identified the targets, according to the account. Jonathan Homer, chief of ICS for the DHS, told the Journal that the hackers “could have thrown switches.” That they didn't may be just as ominous as if they had.
How’d they get in? The easy way, as it turns out, slipping in through third-party vendors’ less secure, isolated networks that they’d infected with malware and scorched with spear phishing attacks. Some people might say it’s becoming the door of choice.
There’s another important part of DHS’ disclosures -- sharing threat information not only with other agencies but also with private industry -- hoping for cooperation and collaboration. What’s important to the DHS, aside from the incidents themselves, is the nature of the infections and if the Russians are able to skirt security upgrades, the Journal said. In that case, hundreds of heads are better than a few.
“You’re seeing an uptick in the way government is sharing threats and vulnerabilities,” Scott Aaronson, a cybersecurity expert for the utility trade group Edison Electric Institute, told the Journal. Information sharing has gotten much better since the Dragonfly attacks began, he said. DHS is also worried that the Russians may be automating their cyber attacks to scale, which might signal a spike in activity, the report said.
There’s some data that suggests that energy organizations and engineering and ICS integration businesses are ill-prepared to stave off cyber attacks. While more attacks hit those operations, hacks on construction facilities increased the most during the second half of 2017 as compared to the prior six months, according to a recent Kaspersky report. Some 31 percent of ICS computers in the construction industry were attacked.