Hackers have attempted to gain access to the networks of US-based nuclear power firms, as well as other energy sector businesses through a series of targeted spearphishing campaigns, according to a joint alert issued by the FBI and the Department of Homeland Security (DHS) on June 30th.
In that alert, the FBI and DHS warned businesses in the energy sector that “advanced, persistent threat actors” were attempting to steal network log-in and password information for multiple energy companies, including those operating nuclear power plants, since May.
The hackers, who were unnamed in the alert, are purportedly using spearphishing emails to target energy sector workers with emails containing Microsoft Word attachments that look like résumés from job applicants. Attackers are also using watering hole attacks, though details on that attack vector were not made publicly available. The attackers are likely attempting to gain control of a privileged account and jump from a corporate network to one containing controls for operational systems.
However, Officials said there is no evidence the hackers reached or otherwise disrupted those core systems controlling operations at the plants, and that the public was not at risk.
“There is no indication of a threat to public safety, as any potential impact appears to be limited to administrative and business networks,” the DHS and FBI said in a joint statement Friday.
One of the targets of the attacks, Wolf Creek Nuclear Operating Corp. in Kansas, released statement saying that “there has been absolutely no operational impact to Wolf Creek.” According to spokesperson Jenny Hageman, “the safety and control systems for the nuclear reactor and other vital plant components are not connected to business networks or the Internet.”
Unnamed officials have since told Bloomberg that The National Security Agency (NSA) has attributed activity targeting US energy firms to the FSB, a Russian spy agency, a detail left out by previous government reports on the attacks.
If the attacks were carried out by the Russians, this spearphishing campaign could be a signal that Russian state-sponsored hackers are looking to explore opportunities for devastating attacks on critical US infrastructure.
Hackers working for Moscow previously carried out such an attacks on energy infrastructure in December 2015, when hackers disrupted the electric system in Ukraine, resulting in a loss of power for 225,000 customers.
The disclosure of these attacks comes at an awkward time–President Trump and Russian President Vladimir Putin met Friday to discuss “the challenges of cyberthreats” according to statements made by Secretary of State Rex Tillerson to reporters. The two world leaders “agreed to explore creating a framework” to better deal with cyberthreats, according to Tillerson. On Saturday, Putin told reporters that he and Trump have agreed to set up a working group “on the subject of jointly controlling security in cyberspace.”