JAN. 5, 2017

Experts believe Russian hackers linked to the DNC breach are also behind attacks on utilities in Ukraine and U.S., leaving domestic power grid exposed

Dec. 30, 2016 12:58 p.m. ET

Cyberattacks that have knocked out electric utilities in Ukraine, including one suspected hack earlier this month, have renewed concern that computer criminals could take down portions of the U.S. power grid.

That fear was underscored this week when senior administration officials said that teams of Russian hackers have “targeted critical infrastructure even beyond what they did” with political organizations in an attempt to interfere in the U.S. presidential election.

The Obama administration on Thursday announced sanctions that include expelling about three dozen Russians. Meanwhile, the FBI and Homeland Security said in a report that malicious Russian cybercampaigns continued after the election and a senior official said “Russia is not going to stop.”

A team of Russian hackers that has been linked to this year’s cyberbreach of the Democratic National Committee was also behind a successful attack in 2015 on three different utilities in Ukraine that caused unprecedented blackouts, according to government and independent security experts.

The same group is thought by those experts to be behind successful cyberattacks on several U.S. energy companies in 2014 that gave the hackers access to company industrial control networks.

In mid-December, Ukraine’s capital city of Kiev suffered another partial power outage when a high-voltage electric substation turned off under suspicious circumstances.

“We’re 99% sure that it was a hacker,” said Vsevolod Kovalchuk, chief executive of Ukrenergo, the utility that operates the backbone of Ukraine’s power transmission network.

Shortly before midnight on December 17, someone started disconnecting circuit breakers through remote means until the electrical substation was completely disabled, Mr. Kovalchuk said.

Utility employees re-energized the substation by manually restoring equipment to their “on” positions. Substations are linchpins in all power grids because they control voltage levels and direct the flow of electricity down power lines.

Mr. Kovalchuk said he believes the latest attack was well planned because the targeted substation is one of the utility’s most automated. An official investigation could take another week but should identify the perpetrator and malware, he said.

American officials believe a cyber-campaign against the U.S. energy industry in 2014 resulted in at least 17 companies’ systems being penetrated, including four electric utilities. Their identities aren’t publicly known. The U.S. power grid is a gigantic system of interconnected electric networks, which means successfully taking down one or more utilities could destabilize larger areas of the grid.

The U.S. Department of Homeland Security has said the attackers in the 2014 blitz were able to steal data and gain private network access, which could allow them to remotely adjust equipment settings.

A recent report by FireEye, a Silicon Valley cybersecurity company, said the Russian group has evolved its malware to use “flexible and lasting platforms indicative of plans for long-term use.”

Russia’s embassy press office in Washington, D.C. didn’t respond to requests for comment, but in the past officials have denied state involvement in hacking.

Frank Cilluffo, a former homeland security adviser during the George W. Bush administration, said such brazen attacks signal a cyber Cold War has broken out. “We need to raise the cost and consequence” of these acts, he said.

Officials at the Department of Homeland Security declined to comment beyond Thursday’s briefing.

The team that is believed to have attacked U.S. and Ukrainian energy companies used malware dubbed BlackEnergy, which functioned like a propped-open door that allowed them to conduct lengthy reconnaissance.

“Russia is the most capable cybersecurity adversary we have,” said Keith Smith, vice president of threat intelligence at Root9B, a network security company. “They penetrated the DNC with a module strikingly similar to BlackEnergy.”

U.S. officials believe the cyberattack of Ukraine’s power grid started in March 2015 as a “spear-phishing” foray in which emails to utility employees appeared to contain information on military mobilization. Workers who clicked on boxes to “enable macros” infected their computers with the malware. Once the hackers established a beachhead, they prowled around company networks and eventually stole the credentials needed to gain access to utilities’ operations.

For nine months, the hackers studied the Ukrainian electric system. When the attack finally happened on December 23, 2015, hackers remotely took control of three of Ukraine’s 30 power distribution utilities within a half-hour. During the attack, the first time that power systems had been blacked out through cyber means, control room engineers sat helplessly as ghostly hands moved cursors across their computer screens, opening circuit breakers at 50 substations and shutting off electricity to about 700,000 people.

The team then used another kind of malware called KillDisk to erase critical automation software, so utilities had to dispatch crews to each substation to manually restore equipment. Electricity was mostly flowing again about six hours after the hackers withdrew, but for months the utilities had to limp along without normal automation.

It could have been far worse. Had the attackers opened and closed breakers rapidly and randomly it could have caused lasting damage and resulted in lengthy blackouts, said Joe Weiss, an industrial security expert at Applied Control Solutions LLC.

“Think six months and not six hours,” he said.

Michael Assante, a member of a fact-finding team that studied the attacks in Ukraine, said it is a fallacy to think the U.S. could repel a similarly sophisticated assault. In fact, heavier reliance on automation makes the U.S. electric system harder to completely restore once knocked out, he said.

“The same tactics used in Ukraine would absolutely cause a problem here,” said Mr. Assante, a former chief security officer for Ohio utility American Electric Power Co., who now works for SANS Institute, a security consulting firm.

Sen. Angus King (I-Maine) is sponsoring federal legislation that would require utilities to have manual-control capabilities.

“The next Pearl Harbor will be cyber,” he said. “It’s a cheap way to attack. No bombers or submarines needed.”

U.S. officials say it is possible that malware, including BlackEnergy, still lurks in American utility networks. There is no federal requirement that it be rooted out.

Gerry Cauley, president of the North American Electric Reliability Corp., which writes security standards for the power industry, said more teams of hackers that appear to be sponsored by foreign governments are trying to penetrate the U.S. power grid.

“There have been instances of BlackEnergy and mapping of networks,” he said. “But they’re working in a big ocean and might have mapped one coral reef.”

Small comfort, say some experts. Many fear the malware is already positioned and waiting to be activated.

Mr. Smith of Root9B said it is speculative to assume the Russians want to shut down the U.S. power grid. But if relations between the countries break down, he said, “I don’t see anything that would stop them.”