North American utilities are scouring their systems for signs of Russian malware that the U.S. government has warned could give hackers control of water treatment facilities and parts of the electrical grid.
The U.S. Department of Homeland Security issued alerts about digital attacks on utility computer systems on Oct. 8, Oct. 17 and Oct. 28. The agency didn’t identify the country behind the hacks, but cybersecurity firms yesterday connected them to Russia. The firms have cautioned in recent reports that cyberspying by Russia is on the rise, and a recent breach of an unclassified White House computer system was linked to the Russian government or criminal hackers.
The DHS alerts said malware called BlackEnergy was used to access to human-machine interfaces, systems utility operators use to control critical functions. U.S. investigators haven’t detected attempts to modify or damage those systems, according to the Oct. 28 warning, suggesting that infiltrators were trying to gain control for later use.
“The targets are specialized systems that aren’t good sources of intelligence collection,” said John Hultquist, senior manager for cyber espionage threat intelligence at Dallas-based iSight Partners. “These are the precursors of potential offensive operations.”
Alexander Lukashevich, a spokesman for the Russian Ministry of Foreign Affairs, was not immediately available for comment.
Over the last two weeks, utilities across the U.S. and Canada have been searching for signs of the malware, consuming thousands of man-hours, said Patrick Miller, principal investigator for the National Electric Sector Cybersecurity Organization, an industry group for power companies and government regulators.
“There is a lot of attention being drawn to this,” he said. Utilities in the U.S and Canada “want to make sure they own their own systems.”
Attacks by what seem to be Russian hackers that have come to light over the last two months have focused attention on the cyber-activities of a U.S. adversary. The DHS alerts said the utility attacks date to 2011 and include activity as recent as September. The warnings linked them to a campaign that iSight said was aimed at the North Atlantic Treaty Organization and other targets of interest to Russian intelligence.
That campaign was connected to the Russian government by iSight and other firms that analyzed the targets and techniques, Hultquist said. They determined the group that spied on NATO and Ukraine during a summit in Wales last month -- an organization iSight nicknamed Sandworm -- was simultaneously penetrating the computers of North American utilities, he said.
The breach of White House computers this week appears to bear some resemblance to the NATO and Ukrainian government assaults, according to two U.S. officials who asked not to be identified because they’re not authorized to speak to the media. Those hacks used a vulnerability in Microsoft Corp. operating systems first discovered by iSight and linked to Sandworm.
“In the context of the geopolitical situation with Russia and the U.S. right now, it’s not at all surprising to see an escalated situation in the cyber realm,” said Chris Blask, chairman of the Industrial Control System Information Sharing and Analysis Center.
“This is the way nation-states communicate with each other, to make it clear to your opponents that capabilities exist,” he said. “Russia is making that point on a variety of levels. One of the things it’s saying is, there’s a credible reason you should fear us, because we can do things to you.”
Malware tied by cybersecurity firms to Russia’s intelligence services has started appearing in new places, suggesting a broader campaign to infiltrate U.S. critical infrastructure. One variety -- dubbed Sofacy by the cybersecurity industry -- has historically been used to target Russian dissidents and government agencies in Poland and other former Eastern Bloc countries.
Now, it’s appearing in attacks against the financial sector, according to Symantec Corp., based in Mountain View, California. Symantec is tracking an active Sofacy spearphishing campaign against financial institutions, including some in the U.S., that uses the malware in e-mails to infect computers, according to the company.
The DHS alerts said that BlackEnergy hackers went after three popular HMI systems made by General Electric Co., Siemens AG and Broadwin Technology Inc. The Siemens system, one of the most widely used in the U.S. electrical sector, was the same software targeted by Stuxnet, the computer worm that disabled Iran’s uranium processing facility at Natanz in 2010, Hultquist said.