As the world watched highly skilled hackers take down power grids in Ukraine twice in two years, cybersecurity analysts reached the growing consensus that Russian hackers may be using the country as a testing ground for attacks they'll someday try on the United States. On Thursday, when news emerged that hackers have indeed been targeting American electric utilities—including a Kansas nuclear facility—it seemed possible that day had arrived. But it's worth noting there's a big difference between infecting a few energy companies' Windows machines with malware and grabbing the controls of a nuclear power plant.
The FBI and the Department of Homeland Security have been scrambling to help multiple US energy firms and manufacturing plants fight off intrusions from hackers, according to reports Thursday evening from the New York Times and Bloomberg. Most worryingly, the targets of those attacks have included the Wolf Creek nuclear power plant near Burlington, Kansas, raising fears of an attack that could not only cause widespread electric outages but potentially disable nuclear safety systems.
But as disturbing as the words "hack" and "nuclear" appearing in the same sentence may be, it's important to step back. The severity of any industrial control system attack depends on whether hackers managed to breach not only its traditional computer systems, but also the far more obscure, less internet-connected systems that actually manipulate its physical equipment. So far it's not clear how many of the hackers' targets have been breached at all, not to mention any evidence that the attackers managed to access the targets' actual control system networks.
"These were business networks, not computer systems anywhere near the operational systems," says Robert M. Lee, the founder of the critical infrastructure cybersecurity firm Dragos, who says he had indirect knowledge of the incidents. "On the one hand it’s concerning. On the other it’s really far from anything near the industrial control systems."
The hackers have targeted at least a dozen distinct organizations, according to Bloomberg, from the Wolf Creek nuclear plant to an unnamed supplier of energy industry control systems. Security firm FireEye tells WIRED that the targets aren't limited to the US: Its researchers have seen spearphishing attempts from the same hackers against targets in Ireland and Turkey, stretching as far back as 2015, as well as "watering hole" attacks meant to infect victims with malware based on their routine visits to certain websites. Many of those attacks, according to FireEye researcher John Hultquist, have focused on electrical engineers and control system operators. "In our experience groups that have solely targeted energy like this have been carrying out reconnaissance for attack," Hultquist says.1
Despite immediate suspicions that Russia may be laying the groundwork for Ukraine-style power grid attacks in the US, no digital fingerprints have yet tied the attacks to any specific group.
Those suspicions stem in part from recent history: Russia has likely tried to sow the seeds for power grid attacks in the US before. In 2014, the Department of Homeland Security warned that hackers had infected the networks of multiple US electric utilities with a piece of general purpose malware known as Black Energy. Cybersecurity firm FireEye tied those infections to a hacker group it called Sandworm, which it believed to be Russian based on clues like an openly accessible server tied to the group containing Russian-language documents. Sandworm would later go on to use Black Energy in intrusions against a variety of Ukrainian targets, including hacking three Ukrainian energy companies to cause the first-ever hacker-induced blackouts.
A year later, hackers attacked the Ukrainian energy firm Ukrenergo and took down about a fifth of the electric capacity of Kiev. Slovakian cybersecurity firm ESET and Lee’s company Dragos Inc. found that a piece of sophisticated malware from that attack known as “Crash Override” or “Industroyer” had been used to automatically trigger the blackout. Dragos also attributed the attack to Sandworm, raising new fears that Russia was testing a cyberweapon it might soon turn on American targets.
But US government agencies have yet to find any ties between the most recent attacks and Sandworm, according to Bloomberg and the Times. Security firm FireEye, despite years of tracking Sandworm, also couldn’t yet make any connections.
Any hacker probe of critical infrastructure systems is troubling. Attempts to breach a target with as much potential for catastrophe as a nuclear power plant are even more serious. And the attacks could be another sign that Russia or some other nation is developing the tools and the access to hold America’s most basic infrastructure in peril.
But the attacks are a long way from the ones actually used to turn out the lights in Ukraine, says Lee. The Times and Bloomberg reports go so far as to consider the possibility that heat-dispersing nuclear safety equipment could be disabled or that equipment could be permanently destroyed. But the threat of a nuclear disaster caused by the hackers shouldn't be overblown, Lee says. Based on years of security assessments of critical infrastructure utilities, he admits that the notion of an “air gap”—a separation between sensitive systems and internet-connected ones—is often illusory. In nuclear plants, by contrast, he says that disconnection is far stricter. “In nuclear environments, they have an air gap,” says Lee. That means that to jump from the corporate network, which these hackers reportedly probed, to the critical control systems would be far more difficult than in other industrial facilities.
None of that changes the fact that attacks on US power facilities represent a dangerous harbinger. But Lee argues the recent incidents are still too far from actual harm to infrastructure to warrant panic or overreaction. The hacker blackouts in Ukraine may show what's on the horizon for the US. But that future hasn't arrived just yet.
1Updated 7/7/2017 1:10pm EST with new information about the hackers' targets.
