U.S. faults Rus­sia in en­ergy firm hack­ings

Cy­ber-in­tru­sions said to have pen­e­trated busi­ness sys­tems of nu­clear plants

The Washington Post Sunday - - FRONT PAGE - BY ELLEN NAKASHIMA

Rus­sian gov­ern­ment hack­ers were be­hind re­cent cy­ber-in­tru­sions into the busi­ness sys­tems of U.S. nu­clear power and other en­ergy com­pa­nies in what ap­pears to be an ef­fort to as­sess their net­works, ac­cord­ing to U.S. gov­ern­ment of­fi­cials.

The U.S. of­fi­cials said there is no ev­i­dence the hack­ers breached or dis­rupted the core sys­tems con­trol­ling op­er­a­tions at the plants, so the pub­lic was not at risk. Rather, they said, the hack­ers broke into sys­tems deal­ing with busi­ness and ad­min­is­tra­tive tasks, such as per­son­nel.

At the end of June, the FBI and the De­part­ment of Home­land Se­cu­rity sent a joint alert to the en­ergy sec­tor stat­ing that “ad­vanced, per­sis­tent threat ac­tors” — a eu­phemism for so­phis­ti­cated for­eign hack­ers — were steal­ing net­work log-in and pass­word in­for­ma­tion to gain a foothold in com­pany net­works. The agencies did not name Rus­sia.

The cam­paign marks the first time Rus­sian gov­ern­ment hack­ers are known to have wormed their way into the net­works of Amer­i­can nu­clear power com­pa­nies, sev­eral U.S. and in­dus­try of­fi­cials

said. And the pen­e­tra­tion could be a sign that Rus­sia is seek­ing to lay the ground­work for more dam­ag­ing hacks.

The Na­tional Se­cu­rity Agency has de­tected spe­cific ac­tiv­ity by the Rus­sian spy agency, the FSB, tar­get­ing the en­ergy firms, ac­cord­ing to two of­fi­cials. The NSA de­clined to com­ment. The in­tru­sions have been pre­vi­ously re­ported but not the at­tri­bu­tion to Rus­sia by U.S. of­fi­cials.

The joint alert from the FBI and DHS, first re­ported by Reuters on June 30, said the hack­ers have been tar­get­ing the in­dus­try since at least May. Sev­eral days ear­lier, E & E News, an en­ergy trade pub­li­ca­tion, had re­ported that U.S. au­thor­i­ties were in­ves­ti­gat­ing cy­ber-in­tru­sions af­fect­ing mul­ti­ple nu­clear-power-gen­er­a­tion sites.

The ma­li­cious ac­tiv­ity comes as Pres­i­dent Trump and Rus­sian Pres­i­dent Vladimir Putin on Fri­day ac­knowl­edged “the chal­lenges of cy­berthreats” and “agreed to ex­plore cre­at­ing a frame­work” to bet­ter deal with them, in­clud­ing those that harm crit­i­cal in­fra­struc­ture such as nu­clear en­ergy, ac­cord­ing to Sec­re­tary of State Rex Tiller­son in re­marks to re­porters. On Satur­day, Putin told re­porters that he and Trump agreed to set up a work­ing group “on the sub­ject of jointly con­trol­ling se­cu­rity in cy­berspace.”

The Rus­sian gov­ern­ment, which is the United States’ top ad­ver­sary in cy­berspace, tar­geted U.S. in­fra­struc­ture in a wide-rang­ing cam­paign in 2014.

Moscow has demon­strated how much dam­age it can do in other coun­tries when it goes af­ter en­ergy sys­tems.

In De­cem­ber 2015, Rus­sian hack­ers dis­rupted the elec­tric sys­tem in Ukraine, plung­ing 225,000 cus­tomers into dark­ness. Last De­cem­ber, they tested a new cy­ber­weapon in Kiev, the Ukrainian cap­i­tal, ca­pa­ble of dis­rupt­ing power grids around the world.

The re­cent ac­tiv­ity fol­lows the U.S. in­tel­li­gence com­mu­nity’s con­clu­sion that the Krem­lin was be­hind a cam­paign to interfere with the 2016 election through hack­ing and in­for­ma­tion war­fare. Putin has de­nied such med­dling.

The work­ing group that is be­ing set up will also ad­dress “how to pre­vent in­ter­fer­ence in the do­mes­tic af­fairs of for­eign states, pri­mar­ily in Rus­sia and the U.S.,” Putin said.

The U.S. of­fi­cials all stressed that the lat­est in­tru­sions did not af­fect sys­tems that con­trol the pro­duc­tion of nu­clear or elec­tric power.

“There is no in­di­ca­tion of a threat to pub­lic safety, as any po­ten­tial im­pact ap­pears to be lim­ited to ad­min­is­tra­tive and busi­ness net­works,” the DHS and FBI said in a joint state­ment Fri­day.

One nu­clear power com­pany that was pen­e­trated, Wolf Creek Nu­clear Oper­at­ing Corp. in Kansas, is­sued a state­ment say­ing that “there has been ab­so­lutely no oper­a­tional im­pact to Wolf Creek.” The rea­son is that the plant’s oper­a­tional com­puter sys­tems are com­pletely sep­a­rate from the cor­po­rate net­work, spokes­woman Jenny Hage­man said. “The safety and con­trol sys­tems for the nu­clear re­ac­tor and other vi­tal plant com­po­nents are not con­nected to busi­ness net­works or the In­ter­net,” she said.

In gen­eral, the na­tion’s 100 or so com­mer­cial nu­clear power plants are safer from cy­ber­at­tack than other en­ergy plants be­cause they iso­late their con­trol sys­tems from the open In­ter­net, said Bill Gross, di­rec­tor of in­ci­dent pre­pared­ness at the Nu­clear En­ergy In­sti­tute.

Ac­cord­ing to U.S. of­fi­cials, fewer than a dozen en­ergy com­pa­nies, in­clud­ing sev­eral nu­clear en­ergy firms, were af­fected by the lat­est Rus­sian cy­ber-re­con­nais­sance cam­paign.

While nu­clear-power com­pa­nies are fairly well pro­tected, elec­tric-power plants are less so, ex­perts said.

“It’s a plau­si­ble sce­nario that the ad­ver­saries in elec­tric power busi­ness net­works could pivot to the in­dus­trial net­works,” said Robert M. Lee, founder and chief ex­ec­u­tive of Dra­gos, a cy­ber­firm that fo­cuses on in­dus­trial con­trol sys­tems. “But it’s still not a triv­ial mat­ter to com­pro­mise the in­dus­trial sys­tems.”

Dra­gos last month is­sued a re­port an­a­lyz­ing a new Rus­sian cy­ber­weapon that can dis­rupt elec­tric power grids. Dubbed CrashOver­ride, the mal­ware is known to have af­fected only one en­ergy sys­tem — in Ukraine in De­cem­ber. But with mod­i­fi­ca­tions, it could be de­ployed against U.S. elec­tric grids, Dra­gos con­cluded.

While the cur­rent cam­paign shows no signs — at least not yet — of dis­rupt­ing the com­pa­nies’ op­er­a­tions, it is not clear what the ad­ver­sary’s true mo­tive is, of­fi­cials said.

The same ac­tor has also tar­geted en­ergy and other crit­i­cal sec­tor firms in Turkey and Ire­land, said John Hultquist, di­rec­tor of in­tel­li­gence anal­y­sis at FireEye, a cy­berthreat-in­tel­li­gence firm. He added that the firm has found ev­i­dence that the ad­ver­sary has been hack­ing into global en­ergy firms since at least 2015.

In their alert, the DHS and FBI stated that the hack­ers are us­ing spearphish­ing emails and “wa­ter­ing hole” tech­niques to en­snare vic­tims. A spearphish tar­gets a user with an au­then­tic-look­ing email that con­tains at­tach­ments or links em­bed­ded with mal­ware. In this case, the hack­ers often used Mi­crosoft Word at­tach­ments that ap­peared to be le­git­i­mate ré­sumés from job ap­pli­cants, the agencies said. In a wa­ter­ing-hole at­tack, an un­sus­pect­ing vic­tim nav­i­gates to a web­site laced with mal­ware, in­fect­ing his or her com­puter. In both cases, the ad­ver­sary sought to col­lect vic­tims’ log-in and pass­word data so that they could sneak in and poke around.

Galina An­tova, co-founder of the cy­ber­firm Claroty, said: “There’s no need for hype and hys­te­ria, but this is an is­sue that should be taken se­ri­ously be­cause of the state of the in­dus­trial net­works” — in par­tic­u­lar the non-nu­clear sys­tems.

The cur­rent cy­ber-cam­paign, dubbed Pal­metto Fu­sion by the gov­ern­ment, is sig­nif­i­cant as a warn­ing, of­fi­cials said. “It sig­nals an abil­ity to get into a sys­tem and po­ten­tially have a con­tin­ued pres­ence there, which at a fu­ture date, at some­one else’s de­ter­mi­na­tion, might be ex­ploited to have an ef­fect” that could be par­tic­u­larly dis­rup­tive.

Newspapers in English

Newspapers from USA

© PressReader. All rights reserved.