Russian Hackers Haven’t Stopped Probing the US Power Grid

Digital Directorship – Cybersecurity: Electrical Grid

Russian Hackers Haven’t Stopped Probing the US Power Grid

Russian hackers have not stopped probing US Grid

Source: Wired: LILY HAY NEWMAN 11.28.18

In recent years, hacks against the power grid have gone from a mostly theoretical risk to a real-world problem. Two large-scale blackouts in Ukraine caused by Russian cyberattacks in 2015 and 2016 showed just how feasible it is. But grid hacking comes in less dramatic forms as well—which makes Russia’s continued probing of US critical infrastructure all the more alarming.

At the CyberwarCon forum in Washington, DC on Wednesday, researchers from threat intelligence firm FireEye noted that while the US grid is relatively well-defended, and difficult to hit with a full-scale cyberattack, Russian actors have nonetheless continued to benefit from their ongoing vetting campaign.

“There’s still a concentrated Russian cyber espionage campaign targeting the bulk of the US electrical grid,” says FireEye analyst Alex Orleans says. “The grid is still getting hit.”

FireEye calls the Russia-linked hacking group that has been targeting the US grid “TEMP.Isotope.” It’s also known as Dragonfly 2.0, or Energetic Bear. The group mostly uses generic hacking tools and techniques created by other actors—a strategy known as “living off the land”—to minimize development time and costs, while also making it harder to identify and track its movements. But TEMP.Isotope has also created at least one custom system backdoor, and often uses spearphishing and infected websites to compromise targets. And the group has brought these tools to bear against the US grid in a patient and methodical way.

US infrastructure does have some advantages here. In the wake of the massive 2003 Northeastern blackout, utilities implemented resilience and defense standards known as the North American Electric Reliability Corporation Critical Infrastructure Protection requirements, more digestibly referred to as NERC CIP. These created minimum baselines for defending against and dealing with natural disasters, but also promoted best practices for network defense, including two-factor authentication, network segmentation, data storage protections, and strict access controls for both network owners and third-parties.

All of these protections combined have hardened electricity generation and transmission systems against attack. But not all segments of the grid are held to those standards. Distribution entities, which often subcontract with larger organizations to deliver power locally, often lack adequate resources and defenses. And while hackers may have a harder time fully compromising more formidable targets, they can still achieve many of their goals through persistent probing.

In many ways, TEMP.Isotope’s actions are in the interest not of triggering large-scale blackouts, but of traditional intelligence-gathering. The group seems to deliver information that can be used both to expand Russian energy capabilities and to vet US systems for weaknesses that could potentially be exploited in attacks. But the FireEye researchers point out that the canvassing also serves other more subtly aggressive counterintelligence goals as well.

“All of this threat activity you see from actors like Isotope requires defensive responses from incident responders, threat intelligence within a given organization, all the way up to potentially governments,” Orleans says. “So you have this ripple upward and outward. And this counterintelligence is for the purpose of frustrating your adversary. Utilities are the adversary for active threat Isotope, so wearing them down through activity, creating anxiety, fulfills what is in counterintelligence terminology known as ‘degradation.'”

If you can sow discord, confusion, and fatigue, you can attack an adversary by frustrating them rather than by masterminding an all-out physical assault. And though grid hacking may not have yet reached a boiling point in the US, the FireEye researchers warn that consistent probing should be taken as seriously as dramatic attacks. This is particularly true given that the security community has seen hints over the years of potential US grid probing activity from other countries as well, including Iran and North Korea.

 Related Article Links:
Jan 20, 2019:Finally, a Breakthrough in Cyber Security Protection
Jan 26, 2019:Cyber-Hijacking Campaign Sets off Global Government Alarm Bells
Feb 01, 2019:Secrecy Reigns as NERC Fines Utilities $10M citing Serious Cyber Risks
Jun 12, 2017: CRASH OVERRIDE: The Malware that Took Down a Power Grid
Jan 03, 2019:Did IoT Cyberattacks cause NY Power Transformers to Explode?
Dec 28, 2019:New York sky turns bright blue after transformer explosion.
Jan 01, 2019:Your data was probably stolen in cyberattack in 2018
Jan 22, 2019:Cyber Attacks are leading to US Navy Collisions
Dec 28, 2018: Did IoT Cyberattacks cause NY Power Transformers to Explode?
Mar 15, 2018:Cyberattacks Put Russian Fingers on the Switch at Power Plants, U.S. Says
Mar 15, 2018: Cyberattacks Put Russian Fingers on the Switch at Power Plants
Nov 28, 2018:Russian Hackers Haven’t Stopped Probing the US Power Grid
Jun 07, 2018:The damage from Atlanta’s huge cyberattack is even worse than the city first thought
Dec 03, 1018:TOP 10 of the world's largest cyberattacks
Dec 15, 2017: A New Industrial Hack Highlights the Cyber Holes in Our Infrastructure

For now, though, the FireEye researchers say Russian state-sponsored hackers are the ones to watch in the US grid. “The most consistent people are likely the Russians,” Orleans says. “And I also think we likely haven’t fully uncovered the extent to which they have gotten into the wires.”

Read full article at Wired …

Print Friendly, PDF & Email

Richard Spangenberg

About the Author: Richard Spangenberg, CEO and Executive Director of Digital Directorship & board member at several companies, is a senior c-suite level executive, innovative strategic marketing leader, and digital/big data/AI specialist familiar with digital transformation, cybersecurity, startups, and social media integration to existing programs.