How hackers are going after the energy grid

Shutterstock photo ID: 200726867 By chuyuss 

The Russian cyberattack that targeted hundreds of corporate and federal victims in a campaign to access energy critical infrastructure providers was, and is, backed by extensive legwork by human intruders, according to a top Department of Homeland Security analyst.

The attackers infiltrated the networks and control systems of "quite a number" of energy infrastructure providers last summer by leveraging the trusted electronic identities of victims targeted in a stealthy spearphishing and watering hole campaign between 2016 and 2017, according to Jonathan Homer, chief of industrial control system analysis at DHS.

DHS walked back published reports that the hackers were close to being able to actually take control of infrastructure targets.

In a webcast describing the tactics used, Homer described a patient, diligent set of human attackers willing to wait a year before activating at least one compromised vendor's network to begin trying to work its way into its primary critical infrastructure company target. Humans at keyboards were used, instead of relying on data scraping and other automated techniques.

The details come from the second DHS National Cybersecurity and Communications Integration Center webcast on "Russian Activity Against Critical Infrastructure" on July 25. The NCCIC is conducting four webcasts on the attacks, with the same content, to spread the word on the novel techniques used to gain operations-level access to critical infrastructure providers' industrial control systems.

Although the campaign has been attributed to the Russian-backed "Energetic Bear" groups, Homer declined to answer a question about the specific identity of the Russian group involved in the campaign during the July 25 webcast.

The attackers, said Homer, didn't come at infrastructure providers directly, but hijacked electronic credentials of trusted organizations, such as vendors and even a government agency, to get into critical infrastructure networks where they then stole credentials of employees there to move further into that network.

Homer didn't name the government agency targeted with initial spearphishing emails. The identities leveraged by the attackers to get into the target critical infrastructure providers didn't really matter to the attackers, he said, only their pre-existing relationship with the infrastructure provider. The agency, he said, reported the questionable traffic to DHS, however.

Once the threat actors were in critical infrastructure networks, they needed to get up to speed on how the infrastructure worked. They targeted and stole the electronic credentials of technicians and operational personnel, as well as technical data and operational schematics of industrial processes.

They also leveraged online digital photos of seemingly benign corporate events, such as ribbon cuttings, or photos of executives, but only those photos that included actual industrial equipment or systems in the background, according to Homer.

Those infrastructure schematics and details from publicly available sources were critical for attackers to understand the intricacies of how to manipulate a particular system, since industrial control systems are highly individual and can vary tremendously from site to site.

Ultimately, said Homer, no infrastructure was actually manipulated in the campaign.

The campaign is apparently ongoing, since Homer warned his audience to let DHS know if they see similar tactics, such as remote server message block attacks or attempts to get into the system via virtual private networks.

He also advised companies to scrutinize the contact on their trusted "whitelist" of acceptable traffic to limit any threat actor's access to credentials that are automatically accepted by networks.

About the Author

Mark Rockwell is a senior staff writer at FCW, whose beat focuses on acquisition, the Department of Homeland Security and the Department of Energy.

Before joining FCW, Rockwell was Washington correspondent for Government Security News, where he covered all aspects of homeland security from IT to detection dogs and border security. Over the last 25 years in Washington as a reporter, editor and correspondent, he has covered an increasingly wide array of high-tech issues for publications like Communications Week, Internet Week, Fiber Optics News, magazine and Wireless Week.

Rockwell received a Jesse H. Neal Award for his work covering telecommunications issues, and is a graduate of James Madison University.

Click here for previous articles by Rockwell. Contact him at [email protected] or follow him on Twitter at @MRockwell4.


  • Defense
    Soldiers from the Old Guard test the second iteration of the Integrated Visual Augmentation System (IVAS) capability set during an exercise at Fort Belvoir, VA in Fall 2019. Photo by Courtney Bacon

    IVAS and the future of defense acquisition

    The Army’s Integrated Visual Augmentation System has been in the works for years, but the potentially multibillion deal could mark a paradigm shift in how the Defense Department buys and leverages technology.

  • Cybersecurity
    Deputy Secretary of Homeland Security Alejandro Mayorkas  (U.S. Coast Guard photo by Petty Officer 3rd Class Lora Ratliff)

    Mayorkas announces cyber 'sprints' on ransomware, ICS, workforce

    The Homeland Security secretary announced a series of focused efforts to address issues around ransomware, critical infrastructure and the agency's workforce that will all be launched in the coming weeks.

Stay Connected