Democracy Dies in Darkness

National-security

U.S. officials say Russian government hackers have penetrated energy and nuclear company business networks

By Ellen Nakashima

July 9, 2017 at 12:23 PM

The National Security Agency campus in Fort Meade, Md. (Patrick Semansky/AP)

Russian government hackers were behind recent cyber-intrusions into the business systems of U.S. nuclear power and other energy companies in what appears to be an effort to assess their networks, according to U.S. government officials.

The U.S. officials said there is no evidence the hackers breached or disrupted the core systems controlling operations at the plants, so the public was not at risk. Rather, they said, the hackers broke into systems dealing with business and administrative tasks, such as personnel.

At the end of June, the FBI and the Department of Homeland Security sent a joint alert to the energy sector stating that "advanced, persistent threat actors" — a euphemism for sophisticated foreign hackers — were stealing network log-in and password information to gain a foothold in company networks. The agencies did not name Russia.

The campaign marks the first time Russian government hackers are known to have wormed their way into the networks of American nuclear power companies, several U.S. and industry officials said. And the penetration could be a sign that Russia is seeking to lay the groundwork for more damaging hacks.

The National Security Agency has detected specific activity by the Russian spy agency, the FSB, targeting the energy firms, according to two officials. The NSA declined to comment. The intrusions have been previously reported but not the attribution to Russia by U.S. officials.

U.S. President Donald Trump shakes hands with Polish President Andrzej Duda in Warsaw, Poland July 6, 2017. Kancelaria Prezydenta RP/Krzysztof Sitkowski/Handout via REUTERS ?THIS IMAGE HAS BEEN SUPPLIED BY A THIRD PARTY. MANDATORY CREDIT. NO RESALES. NO ARCHIVES.?
U.S. President Donald Trump and Polish President Andrzej Duda arrive for a joint news conference in Warsaw, Poland July 6, 2017. Kancelaria Prezydenta RP/Krzysztof Sitkowski/Handout via REUTERS ?THIS IMAGE HAS BEEN SUPPLIED BY A THIRD PARTY. MANDATORY CREDIT. NO RESALES. NO ARCHIVES.?
Poland's President Andrzej Duda, right, and U.S President Donald Trump attend a news conference with at Royal Castle, in Warsaw, Thursday July 6, 2017. Poland's President says he hopes the European nation will "soon" sign a long-term contract for U.S. liquefied gas deliveries that will help it cut dependence on Russian imports. (AP Photo/Evan Vucci)
Polish President Andrzej Duda (R) and US President Donald Trump shake hands after holding a joint press conference at the Royal Castle in Warsaw, Poland, July 6, 2017. / AFP PHOTO / SAUL LOEBSAUL LOEB/AFP/Getty Images
US President Donald Trump arrives for the Three Seas Initiative Summit of Eastern European countries at the Royal Castle in Warsaw, Poland, July 6, 2017. / AFP PHOTO / SAUL LOEBSAUL LOEB/AFP/Getty Images
U.S President Donald Trump talks with Croatian President Kolinda Grabar-Kitarovic, center right, as they arrive for a group photo prior to the Three Seas Initiative transatlantic roundtable in the Great Assembly Hall of the Royal Castle, in Warsaw, Thursday July 6, 2017. The Three Seas Initiative is an alliance among a dozen eastern and central European nations that are bordered by the Adriatic, Baltic and Black seas. The group aims to reduce their dependence on oil and gas supplied by Russia. (AP Photo/Evan Vucci)
U.S. President Donald Trump, Polish President Andrzej Duda and Croatian President Kolinda Grabar-Kitarovic take part in a family photo along with other heads of states and delegates during the Three Seas Initiative Summit in Warsaw, Poland July 6, 2017. REUTERS/Carlos Barria
epa06069374 US President Donald Trump addresses the summit of Three Seas Initiative countries in Warsaw, Poland, 06 July 2017. The Three Seas Initiative is a grouping of the 12 nations between the Baltic, Black and Adriatic Seas. EPA/Szilard Koszticsak HUNGARY OUT
U.S. First Lady Melania Trump, left, smiles during a meeting with Poland's First Lady Agata Kornhauser-Dudain, at the Belvedere palace in Warsaw, Poland, Thursday, July 6, 2017.(AP Photo/Petr David Josek)
epa06069281 Polish First Lady Agata Kornauser-Duda (C-L) and US First Lady Melania Trump (C-R) after a tete-a-tete meeting in Belweder Palace in Warsaw, Poland, 06 July 2017. Both first ladies will also attend a ceremony in Warsaw's Krasinskich Square where President Trump will address the Polish nation. EPA/Rafal Guz POLAND OUT
First Lady Melania Trump (L) and Polish President's wife Agata Kornhauser-Duda (R) play with children as they visit the Copernicus Science Center in Warsaw on July 6, 2017. US President Donald Trump is on his first visit behind the former Iron Curtain. He is expected to focus largely on defence in talks with Baltic, Balkan and central European leaders. / AFP PHOTO / ANDRZEJ HULIMKAANDRZEJ HULIMKA/AFP/Getty Images
Daughter of US President, Ivanka Trump (C) and Chief Rabbi of Poland Michael Schudrich (2ndL) lay flowers in front of the memorial Monument for the Ghetto Heroes in Warsaw, Poland, 06 July 2017. / AFP PHOTO / PAP / Przemyslaw PIATKOWSKIPRZEMYSLAW PIATKOWSKI/AFP/Getty Images
U.S. President Donald Trump and First Lady Melania Trump arrive at Warsaw military airport in Warsaw, Poland July 5, 2017. REUTERS/Laszlo Balogh
Ivanka Trump and White House senior advisor Jared Kushner arrive accompanying the U.S. President Donald Trump and First Lady Melania Trump (not pictured) at Warsaw Chopin Airport in Warsaw, Poland, July 5, 2017. REUTERS/Carlos Barria
President Trump, right and the first lady Melania Trump walk past the honor guards as they arrive to Warsaw, Poland, Wednesday, July 5, 2017. President Donald Trump is back to Europe hoping to receive a friendly welcome in Poland despite lingering skepticism across the continent over his commitment to NATO, his past praise of Russian President Vladimir Putin and his decision to pull the U.S. out of a major climate agreement. (AP Photo/Czarek Sokolowski)
President Donald Trump and first lady Melania Trump are greeted by Polish Minister of State Krzysztof Szczerski, left, and Polish Foreign Minister Witold Waszczykowski after arriving at Warsaw Chopin Airport, Wednesday, July 5, 2017, in Warsaw. (AP Photo/Evan Vucci)
epa06068765 The Beast, US presidential Cadillac One limousine, carrying US President Donald J. Trump is seen in Warsaw, Poland, Poland, 05 July 2017. US President Donald J. Trump is on a two-day visit in Poland. He will meet Polish President Andrzej Duda as well as speak to the leaders of Three Seas Initiative nations and address the Polish people at Warsaw's Krasinski Square. POLAND OUT POLAND OUT
President Donald Trump waves as he arrives to deliver a speech at Krasinski Square at the Royal Castle, Thursday, July 6, 2017, in Warsaw. (AP Photo/Evan Vucci)
U.S. President Donald Trump delivers a speech in Krasinski Square, in Warsaw, Poland, Thursday, July 6, 2017.(AP Photo/Petr David Josek)
U.S. President Donald Trump and U.S. First Lady Melania Trump applaud next to Poland's President Andrzej Duda and Poland's first lady Agata Kornhauser-Duda, in Krasinski Square, in Warsaw, Poland, Thursday, July 6, 2017. (AP Photo/Alik Keplicz)
epa06070673 German Chancellor Angela Merkel (R) and US President Donald J. Trump (L) attend their meeting in the Hotel Atlantic one day prior to the G20 summit for bilateral talks in Hamburg, Germany, 06 Julty 2017. The G20 Summit (or G-20 or Group of Twenty) is an international forum for governments from 20 major economies. The summit is taking place in Hamburg 07 to 08 July 2017. EPA/JENS SCHLUETER / POOL
German Chancellor Angela Merkel (R) and US President Donald Trump shake hands prior to a bilateral meeting on the eve of the G20 summit in Hamburg, northern Germany, on July 6, 2017. Leaders of the world's top economies will gather from July 7 to 8, 2017 in Germany for likely the stormiest G20 summit in years, with disagreements ranging from wars to climate change and global trade. / AFP PHOTO / POOL / Michael KappelerMICHAEL KAPPELER/AFP/Getty Images
U.S. President Donald Trump meets South Korea's President Moon Jae-In and Japanese Prime Minister Shinzo Abe ahead the G20 leaders summit in Hamburg, Germany July 6, 2017. REUTERS/Carlos Barria
US President Donald Trump and US First Lady Melania Trump wave as they step off Air Force One upon arrival at the airport in Hamburg, northern Germany on July 6, 2017. Leaders of the world's top economies will gather from July 7 to 8, 2017 in Germany for likely the stormiest G20 summit in years, with disagreements ranging from wars to climate change and global trade. / AFP PHOTO / Christof STACHECHRISTOF STACHE/AFP/Getty Images
German Chancellor Angela Merkel welcomes U.S. President Donald Trump before bilateral talks on the eve of the G-20 summit in Hamburg, Germany, July 6, 2017. Steffen Kugler/Courtesy of Bundesregierung/Handout via REUTERS ATTENTION EDITORS - THIS PICTURE WAS PROVIDED BY A THIRD PARTY. NO RESALES. NO ARCHIVE
U.S. President Donald Trump meets South Korea's President Moon Jae-In and Japanese Prime Minister Shinzo Abe ahead the G20 leaders summit in Hamburg, Germany July 6, 2017. REUTERS/Carlos Barria
Photo Gallery: He is stopped in Poland before traveling on to Germany for the meeting of world leaders.

The joint alert from the FBI and DHS, first reported by Reuters on June 30, said the hackers have been targeting the industry since at least May. Several days earlier, E & E News, an energy trade publication, had reported that U.S. authorities were investigating cyber-intrusions affecting multiple nuclear-power-generation sites.

Related: [Ukraine’s ransomware attack was a ruse to hide culprit’s identity, researchers say]

The malicious activity comes as President Trump and Russian President Vladimir Putin on Friday acknowledged "the challenges of cyberthreats" and "agreed to explore creating a framework" to better deal with them, including those that harm critical infrastructure such as nuclear energy, according to Secretary of State Rex Tillerson in remarks to reporters. On Saturday, Putin told reporters that he and Trump agreed to set up a working group "on the subject of jointly controlling security in cyberspace."

The Russian government, which is the United States' top adversary in cyberspace, targeted U.S. infrastructure in a wide-ranging campaign in 2014.

Moscow has demonstrated how much damage it can do in other countries when it goes after energy systems.

In December 2015, Russian hackers disrupted the electric system in Ukraine, plunging 225,000 customers into darkness. Last December, they tested a new cyberweapon in Kiev, the Ukrainian capital, capable of disrupting power grids around the world.

The recent activity follows the U.S. intelligence community's conclusion that the Kremlin was behind a campaign to interfere with the 2016 election through hacking and information warfare. Putin has denied such meddling.

Watch more!
Here is what you need to know about spear phishing: a targeted attack hackers use to steal your personal information. (Sarah Parnass, Dani Player/The Washington Post)

The working group that is being set up will also address "how to prevent interference in the domestic affairs of foreign states, primarily in Russia and the U.S.," Putin said.

The U.S. officials all stressed that the latest intrusions did not affect systems that control the production of nuclear or electric power.

"There is no indication of a threat to public safety, as any potential impact appears to be limited to administrative and business networks," the DHS and FBI said in a joint statement Friday.

One nuclear power company that was penetrated, Wolf Creek Nuclear Operating Corp. in Kansas, issued a statement saying that "there has been absolutely no operational impact to Wolf Creek." The reason is that the plant's operational computer systems are completely separate from the corporate network, spokeswoman Jenny Hageman said. "The safety and control systems for the nuclear reactor and other vital plant components are not connected to business networks or the Internet," she said.

In general, the nation's 100 or so commercial nuclear power plants are safer from cyberattack than other energy plants because they isolate their control systems from the open Internet, said Bill Gross, director of incident preparedness at the Nuclear Energy Institute.

According to U.S. officials, fewer than a dozen energy companies, including several nuclear energy firms, were affected by the latest Russian cyber-reconnaissance campaign.

Related: [Companies struggle to recover after massive cyberattack with ransom demands]

While nuclear-power companies are fairly well protected, electric-power plants are less so, experts said.

"It's a plausible scenario that the adversaries in electric power business networks could pivot to the industrial networks," said Robert M. Lee, founder and chief executive of Dragos, a cyberfirm that focuses on industrial control systems. "But it's still not a trivial matter to compromise the industrial systems."

Dragos last month issued a report analyzing a new Russian cyberweapon that can disrupt electric power grids. Dubbed CrashOverride, the malware is known to have affected only one energy system — in Ukraine in December. But with modifications, it could be deployed against U.S. electric grids, Dragos concluded.

While the current campaign shows no signs — at least not yet — of disrupting the companies' operations, it is not clear what the adversary's true motive is, officials said.

The same actor has also targeted energy and other critical sector firms in Turkey and Ireland, said John Hultquist, director of intelligence analysis at FireEye, a cyberthreat-intelligence firm. He added that the firm has found evidence that the adversary has been hacking into global energy firms since at least 2015.

In their alert, the DHS and FBI stated that the hackers are using spearphishing emails and "watering hole" techniques to ensnare victims. A spearphish targets a user with an authentic-looking email that contains attachments or links embedded with malware. In this case, the hackers often used Microsoft Word attachments that appeared to be legitimate résumés from job applicants, the agencies said. In a watering-hole attack, an unsuspecting victim navigates to a website laced with malware, infecting his or her computer. In both cases, the adversary sought to collect victims' log-in and password data so that they could sneak in and poke around.

Galina Antova, co-founder of the cyberfirm Claroty, said: "There's no need for hype and hysteria, but this is an issue that should be taken seriously because of the state of the industrial networks" — in particular the non-nuclear systems.

The current cyber-campaign, dubbed Palmetto Fusion by the government, is significant as a warning, officials said. "It signals an ability to get into a system and potentially have a continued presence there, which at a future date, at someone else's determination, might be exploited to have an effect" that could be particularly disruptive.

David Filipov and Damian Paletta in Hamburg contributed to this report.


Ellen Nakashima is a national security reporter for The Washington Post. She focuses on issues relating to intelligence, technology and civil liberties.

Post Recommends
Outbrain

You obviously love great journalism.

With special savings on our Basic Digital package, you’ll never miss a single story again.

Already a subscriber?

Secure & Encrypted