NEW YORK • Since May, hackers have been penetrating the computer networks of companies that operate nuclear power stations and other energy facilities, as well as manufacturing plants in the United States and other countries.
Among the companies targeted was Wolf Creek Nuclear Operating, which runs a nuclear power plant near Burlington, Kansas, according to security consultants and an urgent joint report issued by the US Department of Homeland Security and the Federal Bureau of Investigation last week.
The joint report was obtained by The New York Times and confirmed by security specialists who have been responding to the attacks. It carried an urgent amber warning, the second-highest rating for the sensitivity of the threat.
The report did not indicate whether the cyber-attacks were an attempt at espionage - such as stealing industrial secrets - or part of a plan to cause destruction. There is no indication that hackers were able to jump from their victims' computers into the control systems of the facilities, nor is it clear how many facilities were breached.
Wolf Creek officials said that while they could not comment on cyber attacks or security issues, no "operations systems" had been affected and that their corporate network and the Internet were separate from the network that runs the plant.
The hackers appeared determined to map out computer networks for future attacks, the report concluded.
But investigators have not been able to analyse the malicious "payload" of the hackers' code, which would offer more detail into what they were after.
-
Attackers are backed by govts: Report
-
NEW YORK • The origins of the hackers trying to target the computer networks of companies that operate nuclear power stations and other energy facilities are not known.
But the report issued by the US Department of Homeland Security and the Federal Bureau of Investigation indicated that an "advanced persistent threat" actor was responsible, which is the language security specialists often use to describe hackers backed by governments.
The two people familiar with the investigation say that, while it is still in its early stages, the hackers' techniques mimicked those of the organisation known to cyber-security specialists as Energetic Bear, the Russian hacking group that researchers have tied to attacks on the energy sector since at least 2012.
Hackers wrote highly targeted e-mail messages containing fake resumes for control engineering jobs and sent them to the senior industrial control engineers who maintain broad access to critical industrial control systems, the government report said. The fake resumes were Microsoft Word documents that were laced with malicious code. Once the recipients clicked on those documents, attackers could steal their credentials and proceed to other machines on a network.
In some cases, the hackers also compromised legitimate websites that they knew their victims frequented - something security specialists call a watering-hole attack. And in others, they deployed what are known as man-in-the-middle attacks, in which they redirected their victims' Internet traffic through their own machines.
NYTIMES
Mr John Keeley, a spokesman for the Nuclear Energy Institute, which works with all 99 electric utilities that operate nuclear plants in the US, said nuclear facilities are required to report cyber-attacks that relate to their "safety, security and operations".
None have reported that the security of their operations was affected by the latest attacks, Mr Keeley said.
In most cases, the attacks targeted people - industrial control engineers who have direct access to systems that, if damaged, could lead to an explosion, fire or a spill of dangerous material, according to two people familiar with the attacks who could not be named because of confidentiality agreements.
Energy, nuclear and critical manufacturing organisations have frequently been targets for sophisticated cyber attacks.
The Department of Homeland Security has called cyber attacks on critical infrastructure "one of the most serious national security challenges we must confront".
On May 11, during the attacks, US President Donald Trump signed an executive order to strengthen the cyber-security defences of federal networks and critical infrastructure.
The order required government agencies to work with public companies to mitigate risks and help defend critical infrastructure organisations "at greatest risk of attacks that could reasonably result in catastrophic regional or national effects on public health or safety, economic security, or national security".
The order specifically addressed the threats from "electricity disruptions and prolonged power outages resulting from cyber-security incidents".
Mr Jon Wellinghoff, former chairman of the Federal Energy Regulatory Commission, said in an interview last week that while the security of the US' critical infrastructure systems had improved in recent years, they were still vulnerable to advanced hacking attacks, particularly those that use tools stolen from the National Security Agency.
"We never anticipated that our critical infrastructure control systems would be facing advanced levels of malware," Mr Wellinghoff said.
NYTIMES
