cybersecurity tools for the electric grid

How hackers got into the energy grid

The recent Russian cyberattack targeting energy critical infrastructure providers was supported by an extensive network of human intruders, a top Department of Homeland Security analyst said.

The attackers got access to networks and control systems of "quite a number" of energy infrastructure providers last summer by using the trusted identities of third-party organizations compromised in spearphishing and watering hole campaigns over  2016 and 2017, according to Jonathan Homer, chief of industrial control system analysis at DHS.

Homer described how human attackers waited a year before activating at least one compromised vendor's network, from which they worked their way to the critical infrastructure company that was their ultimate target. Humans at keyboards were used, instead of relying on data scraping and other automated techniques.

The details come from the second DHS National Cybersecurity and Communications Integration Center webcast on "Russian Activity Against Critical Infrastructure" on July 25. The NCCIC is conducting four webcasts on the attacks, with the same content, to spread the word on the novel techniques used to gain operations-level access to critical infrastructure providers' industrial control systems.

Although the campaign has been attributed to the Russian-backed "Energetic Bear" groups, Homer declined to answer a question about the specific identity of the Russian group involved in the campaign during the July 25 webcast.

The attackers, said Homer, didn't come at infrastructure providers directly, but hijacked electronic credentials of trusted organizations, such as vendors and even a government agency, to get into critical infrastructure networks where they then stole credentials of employees there to move further into that network.

Homer didn't name the government agency targeted with initial spearphishing emails. The identities leveraged by the attackers to get into the target critical infrastructure providers didn't really matter to the attackers, he said, only their pre-existing relationship with the infrastructure provider. The agency, he said, reported the questionable traffic to DHS, however.

Once the threat actors were in critical infrastructure networks, they needed to get up to speed on how the infrastructure worked. They targeted and stole the electronic credentials of technicians and operational personnel, as well as technical data and operational schematics of industrial processes.

They also leveraged online digital photos of seemingly benign corporate events, such as ribbon cuttings, or photos of executives, but only those photos that included actual industrial equipment or systems in the background, according to Homer.

Those infrastructure schematics and details from publicly available sources were critical for attackers to understand the intricacies of how to manipulate a particular system, since industrial control systems are highly individual and can vary tremendously from site to site.

Ultimately, said Homer, no infrastructure was actually manipulated in the campaign.

The campaign is apparently ongoing, since Homer warned his audience to let DHS know if they see similar tactics, such as remote server message block attacks or attempts to get into the system via virtual private networks.

He also advised companies to scrutinize the contact on their trusted "whitelist" of acceptable traffic to limit any threat actor's access to credentials that are automatically accepted by networks.

This article was first posted to FCW, a sibling site to GCN.

About the Author

Mark Rockwell is a senior staff writer at FCW, whose beat focuses on acquisition, the Department of Homeland Security and the Department of Energy.

Before joining FCW, Rockwell was Washington correspondent for Government Security News, where he covered all aspects of homeland security from IT to detection dogs and border security. Over the last 25 years in Washington as a reporter, editor and correspondent, he has covered an increasingly wide array of high-tech issues for publications like Communications Week, Internet Week, Fiber Optics News, magazine and Wireless Week.

Rockwell received a Jesse H. Neal Award for his work covering telecommunications issues, and is a graduate of James Madison University.

Click here for previous articles by Rockwell. Contact him at mr[email protected] or follow him on Twitter at @MRockwell4.


  • business meeting (Monkey Business Images/

    Civic tech volunteers help states with legacy systems

    As COVID-19 exposed vulnerabilities in state and local government IT systems, the newly formed U.S. Digital Response stepped in to help. Its successes offer insight into existing barriers and the future of the civic tech movement.

  • data analytics (

    More visible data helps drive DOD decision-making

    CDOs in the Defense Department are opening up their data to take advantage of artificial intelligence and machine learning tools that help surface insights and improve decision-making.

Stay Connected