Russian Hackers 'Could Have Caused Electricity Blackouts' in the U.S.

Electricity Lines
The sun shines over towers carrying electical lines August 30, 2007 in South San Francisco, California. Could these facilities be hacked to cause a blackout? Russia may be trying, some experts say. Justin Sullivan/Getty Images

Hackers working for a state-sponsored cyber-espionage unit with alleged links to Russia could have caused electricity blackouts in the U.S. last year after gaining access to some utility control rooms, a Department of Homeland Security (DHS) official disclosed this week.

Jonathan Homer, chief of industrial control system analysis at the agency, said that hackers "got to the point where they could have thrown switches" and mess with power flows, according to the Wall Street Journal, which first reported the news from a federal briefing on Monday.

Homer said there had been "hundreds of victims" since the attacks began in 2016, but they have not been named. It remains unclear to what extent they were compromised. The cyberattack, he warned, may be ongoing. But experts in the national infrastructure field this week remained skeptical of his claims, stressing that language used in such incidents is often overblown.

According to the DHS, the culprits work for a Russian hacking unit. Active since 2010, the unit has had various code names, including Energetic Bear, Crouching Yeti and Dragonfly. It has been well-documented over the years by government and private sector security experts including Homeland Security's ICS-CERT alongside Kaspersky Lab, FireEye and Symantec.

Electric Power
A figure looks at the dynamic map board showing power distribution through California's electrical grids in the control center of the California Independent System Operator (Cal-ISO) on August 9, 2004. Could such a system ever be hacked to cause a blackout? David McNew/Getty Images

In March this year, a joint technical alert (JTA) from the U.S. government namedchecked the Dragonfly team as having links to Russia. It revealed that, since March 2016, the unit had "targeted government entities and multiple U.S. critical infrastructure sectors, including the energy, nuclear, commercial facilities, water, aviation, and critical manufacturing sectors."

The tactics discussed mirror those mentioned by the DHS on Monday. Homer said the hackers used phishing attacks to access machines and steal passwords. Once inside targets' computers—mostly third-party vendors which had close relationships to the electric utilities—they would hijack secrets and snoop around to learn more about how the critical systems work.

The Russian hackers, Homer added, were able to break into so-called "air-gapped" computers in control networks, which are typically kept offline or without traditional access to the internet.

The energy sector has long been a target for nation state hacking units. In December 2015, when Ukraine's power grid was briefly taken offline, theory became reality. Since then, security officials across the world, including the U.S. and U.K., have warned about threats. But in most cases, critical infrastructure remains complex. Experts warn about the dangers of exaggeration.

"The warnings of the threats are extremely important as they are becoming more frequent. But much of the language in these articles is not helpful and often misleading," Robert M. Lee, CEO of industrial network security firm Dragos Inc and a former National Security Agency (NSA) cyber expert, tweeted this week in a thread, responding to the Wall Street Journal report.

"The cyber threats to industrial infrastructure are worse than we realize but not as bad as we want to imagine," Lee told Newsweek. "The DHS has done good work in amplifying the fact that adversaries have targeted the electric grid, especially over these past two years.

"Much of the information was already known to the public though and was discovered by the private sector," he continued. "Amplification is good but word choices around blackouts and the impacts of the targeting are misleading and can cause undue fear.

"We must do more, but fear is not an appropriate path forward."

In March, U.S.-CERT branded the hacking activity a "multi-stage intrusion campaign" by Russia. In 2016, two other state-backed cyber groups, known as Fancy Bear and Cosy Bear, were tied to alleged intrusions into political groups with the intention of meddling in U.S. democracy. The fallout from that campaign continues and may be hotting up again as the midterms approach.