Russian government hackers were behind recent cyber-intrusions into the business systems of U.S. nuclear power and other energy companies in what appears to be an effort to assess their networks, according to U.S. government officials.
The U.S. officials said there is no evidence the hackers breached or disrupted the core systems controlling operations at the plants, so the public was not at risk. Rather, they said, the hackers broke into systems dealing with business and administrative tasks, such as personnel.
At the end of June, the FBI and the Department of Homeland Security sent a joint alert to the energy sector stating that “advanced, persistent threat actors” — a euphemism for sophisticated foreign hackers — were stealing network log-in and password information to gain a foothold in company networks. The agencies did not name Russia.
The campaign marks the first time Russian government hackers are known to have wormed their way into the networks of American nuclear power companies, several U.S. and industry officials said. And the penetration could be a sign that Russia is seeking to lay the groundwork for more damaging hacks.
The National Security Agency has detected specific activity by the Russian spy agency, the FSB, targeting the energy firms, according to two officials. The NSA declined to comment. The intrusions have been previously reported but not the attribution to Russia by U.S. officials.
The joint alert from the FBI and DHS, first reported by Reuters on June 30, said the hackers have been targeting the industry since at least May. Several days earlier, E & E News, an energy trade publication, had reported that U.S. authorities were investigating cyber-intrusions affecting multiple nuclear-power-generation sites.
The malicious activity comes as President Trump and Russian President Vladimir Putin on Friday acknowledged “the challenges of cyberthreats” and “agreed to explore creating a framework” to better deal with them, including those that harm critical infrastructure such as nuclear energy, according to Secretary of State Rex Tillerson in remarks to reporters. On Saturday, Putin told reporters that he and Trump agreed to set up a working group “on the subject of jointly controlling security in cyberspace.”
The Russian government, which is the United States’ top adversary in cyberspace, targeted U.S. infrastructure in a wide-ranging campaign in 2014.
Moscow has demonstrated how much damage it can do in other countries when it goes after energy systems.
In December 2015, Russian hackers disrupted the electric system in Ukraine, plunging 225,000 customers into darkness. Last December, they tested a new cyberweapon in Kiev, the Ukrainian capital, capable of disrupting power grids around the world.
The recent activity follows the U.S. intelligence community’s conclusion that the Kremlin was behind a campaign to interfere with the 2016 election through hacking and information warfare. Putin has denied such meddling.
The working group that is being set up will also address “how to prevent interference in the domestic affairs of foreign states, primarily in Russia and the U.S.,” Putin said.
The U.S. officials all stressed that the latest intrusions did not affect systems that control the production of nuclear or electric power.
“There is no indication of a threat to public safety, as any potential impact appears to be limited to administrative and business networks,” the DHS and FBI said in a joint statement Friday.
One nuclear power company that was penetrated, Wolf Creek Nuclear Operating Corp. in Kansas, issued a statement saying that “there has been absolutely no operational impact to Wolf Creek.” The reason is that the plant’s operational computer systems are completely separate from the corporate network, spokeswoman Jenny Hageman said. “The safety and control systems for the nuclear reactor and other vital plant components are not connected to business networks or the Internet,” she said.
In general, the nation’s 100 or so commercial nuclear power plants are safer from cyberattack than other energy plants because they isolate their control systems from the open Internet, said Bill Gross, director of incident preparedness at the Nuclear Energy Institute.
According to U.S. officials, fewer than a dozen energy companies, including several nuclear energy firms, were affected by the latest Russian cyber-reconnaissance campaign.
While nuclear-power companies are fairly well protected, electric-power plants are less so, experts said.
“It’s a plausible scenario that the adversaries in electric power business networks could pivot to the industrial networks,” said Robert M. Lee, founder and chief executive of Dragos, a cyberfirm that focuses on industrial control systems. “But it’s still not a trivial matter to compromise the industrial systems.”
Dragos last month issued a report analyzing a new Russian cyberweapon that can disrupt electric power grids. Dubbed CrashOverride, the malware is known to have affected only one energy system — in Ukraine in December. But with modifications, it could be deployed against U.S. electric grids, Dragos concluded.
While the current campaign shows no signs — at least not yet — of disrupting the companies’ operations, it is not clear what the adversary’s true motive is, officials said.
“In some sense, this could be significant if this is precursor planning,” said one U.S. official, who like others interviewed spoke on the condition of anonymity to discuss a sensitive topic. “That’s what all cyber bad guys do. They do reconnaissance and they try to establish a presence and maintain access. This in my mind was a reconnaissance effort — to scope things out and figure out” points of entry.
The same actor has also targeted energy and other critical sector firms in Turkey and Ireland, said John Hultquist, director of intelligence analysis at FireEye, a cyberthreat-intelligence firm. He added that the firm has found evidence that the adversary has been hacking into global energy firms since at least 2015.
In their alert, the DHS and FBI stated that the hackers are using spearphishing emails and “watering hole” techniques to ensnare victims. A spearphish targets a user with an authentic-looking email that contains attachments or links embedded with malware. In this case, the hackers often used Microsoft Word attachments that appeared to be legitimate résumés from job applicants, the agencies said. In a watering-hole attack, an unsuspecting victim navigates to a website laced with malware, infecting his or her computer. In both cases, the adversary sought to collect victims’ log-in and password data so that they could sneak into the network and poke around.
Galina Antova, co-founder of the cyberfirm Claroty, said: “There’s no need for hype and hysteria, but this is an issue that should be taken seriously because of the state of the industrial networks” — in particular the non-nuclear systems.
The current cyber-campaign, dubbed Palmetto Fusion by the government, is significant as a warning, officials said. “It signals an ability to get into a system and potentially have a continued presence there, which at a future date, at someone else’s determination, might be exploited to have an effect” that could be particularly disruptive.
David Filipov and Damian Paletta in Hamburg contributed to this report.