Are Russian hackers going to turn off the lights?

By Iren Moroz shutterstock ID 566799760 

The victims of an ongoing, long-running Russian-backed hacking campaign against infrastructure providers, including electric companies, number in the "hundreds," but immediate electrical blackouts resulting from the hacks to the grid are not in the cards, at least not in the short term, according to DHS officials.

The Wall Street Journal reported July 23 that Jonathan Homer, chief of industrial control system analysis at the Department of Homeland Security said in an industry briefing that Russian hackers had claimed "hundreds of victims" in a sustained campaign last summer aimed at infiltrating industrial control systems of U.S. critical infrastructure providers.

The incursions, Homer claimed, could have resulted in ICS equipment being manipulated into disrupting electrical power flows. The hackers mined confidential information from ICS support vendors to possibly leverage it to gain access to infrastructure equipment, he said.

"They got to the point where they could have thrown switches," Homer said, according to the article.

Following the report, a DHS official clarified to FCW that power outages weren't in the cards with the incursions.

"While hundreds of energy and non-energy companies were targeted," said DHS spokesperson Lesley Fulop in a statement to FCW, "the incident where they gained access to the industrial control system was a very small generation asset that would not have had any impact on the larger grid if taken offline."

The information was presented during a DHS National Cybersecurity and Communications Integration Center webinar on July 24. The webinar is the first of a series of four announced in mid-July by NCCIC.

NCCIC said it is holding the online panels to provide information on cybersecurity incidents, mitigation techniques and resources to help protect critical assets.

"Over the course of the past year as we continued to investigate the activity, we learned additional information which would be helpful to industry in defending against this threat. We will continue our strong public-private partnership and remain vigilant in defending critical infrastructure," Fulop said.

According to the report, DHS officials said in the briefing the hackers worked for the Russian-backed "Dragonfly" or "Energetic Bear" groups that the agency had singled out years ago in a warning of the targeted cyberattack campaign.

In 2014, the agency sounded the alarm on an "ICS-focused malware campaign" that wielded a multi-pronged assault on critical infrastructure providers. In that warning, DHS' Industrial Control Systems Cyber Emergency Response Team said the campaign infected industrial control systems sold by three vendors.

This past March, the Trump administration imposed sanctions against Russian intelligence agencies and individuals and named Russia as the sponsor of Dragonfly.

One ICS cybersecurity expert was critical of the characterization of the probes as threatening electric grid blackouts.

"The DHS has done a great job amplifying what was previously identified by the private sector and adding their own information. This relates to activity already previously communicated to the electric community but highlighting ongoing risk," said Robert Lee, CEO and co-founder of ICS cybersecurity company Dragos, Inc. in an email statement to FCW.

"However, the messaging in the WSJ article around 'throwing switches' and causing 'blackouts' is misleading on the impact of the targeting that took place," said Lee, who has testified before Congress on ICS cybersecurity.

Lee called the latest reports of nefarious activity "incredibly concerning," but he said "imminent blackouts are not representative of what happened, which was more akin to reconnaissance into sensitive networks."

"It's unfortunately the type that could lead to attacks later and is alarming, but it represents the beginning of the adversary effort not the end," he said.

Lee noted in a Twitter thread that getting access to the system and hijacking infrastructure processes through that access is not easy.

The two require two different knowledge and skill sets, he said, with one focused on getting in and the other focused on the intricacies of the infrastructure's processes.

About the Author

Mark Rockwell is a senior staff writer at FCW, whose beat focuses on acquisition, the Department of Homeland Security and the Department of Energy.

Before joining FCW, Rockwell was Washington correspondent for Government Security News, where he covered all aspects of homeland security from IT to detection dogs and border security. Over the last 25 years in Washington as a reporter, editor and correspondent, he has covered an increasingly wide array of high-tech issues for publications like Communications Week, Internet Week, Fiber Optics News, magazine and Wireless Week.

Rockwell received a Jesse H. Neal Award for his work covering telecommunications issues, and is a graduate of James Madison University.

Click here for previous articles by Rockwell. Contact him at [email protected] or follow him on Twitter at @MRockwell4.


  • FCW Perspectives
    remote workers (elenabsl/

    Post-pandemic IT leadership

    The rush to maximum telework did more than showcase the importance of IT -- it also forced them to rethink their own operations.

  • Management
    shutterstock image By enzozo; photo ID: 319763930

    Where does the TMF Board go from here?

    With a $1 billion cash infusion, relaxed repayment guidelines and a surge in proposals from federal agencies, questions have been raised about whether the board overseeing the Technology Modernization Fund has been scaled to cope with its newfound popularity.

Stay Connected