Amid coverage of Russia’s involvement in the 2016 presidential election, more news of nefarious Russian cyber activity has come to light. This time, a Russian campaign to infiltrate U.S. power and infrastructure sectors gained access to and observed these organizations for an undetermined amount of time.
In a joint technical alert released on March 15, the Department of Homeland Security (DHS) and the Federal Bureau of Investigation (FBI) revealed that, since at least March 2016, Russian government hackers attacked U.S. government entities and critical infrastructure organizations in the energy, nuclear, commercial facilities, water, aviation and manufacturing sectors.
The report does not list the companies attacked. In press releases, they are allowed to remain anonymous so that companies can share and access reports of hacking with others without fear of public knowledge alarming investors or customers.
According to the report, the attacks were not random. To gain access to their victims’ networks, hackers employed well-known techniques in multistep attacks, going after smaller companies’ networks en route to their primary targets—American power plant computers and networks.
First, hackers attacked smaller, less secure companies well-known to their primary target—parts manufacturers or software companies the power plant uses, for example. After gaining access to these networks, the hackers then used these trusted and seemingly legitimate sources to send inquiries to the primary targets.
In some instances, hackers used a technique called “spearphishing,” in which they sent emails from a compromised account to get their target to reveal confidential information. In another method, “waterholing,” intruders altered websites people in the energy industry regularly visit, so they collect information like logins and passwords. Other attacks involved emails asking users to open word documents that contained links, which when clicked, ran programs that gave hackers access to the target’s computer.
Once hackers had access to power plant and other infrastructure networks, they set up local administrator accounts (giving them access and permissions to install programs and make other changes to these networks), then installed malware in the networks and protocols to hide their intrusion.
The report states that from here hackers primarily collected information—captured screenshots, recorded details about the computer and saved information about user accounts. It does not state if the attackers were able to control how power plants generated power.