America’s Electric Grid
Has a Vulnerable Back Door—and Russia Walked Through It
By Rebecca Smith and Rob Barry
Jan. 10, 2019 11:18 a.m. ET
A Wall Street Journal
reconstruction of the worst known hack into the nation’s power system reveals
attacks on hundreds of small contractors
One morning in March 2017, Mike Vitello’s work phone lighted
up. Customers wanted to know about an odd email they had just received. What
was the agreement he wanted signed? Where was the attachment?
Mr. Vitello had no idea what they were talking about. The
Oregon construction company where he works, All-Ways Excavating USA, checked it
out. The email was bogus, they told Mr. Vitello’s contacts. Ignore it.
Then, a few months later, the U.S. Department of Homeland
Security dispatched a team to examine the company’s computers. You’ve been
attacked, a government agent told Mr. Vitello’s colleague, Dawn Cox. Maybe by
Russians. They were trying to hack into the power grid.
“They were intercepting my every email,” Mr. Vitello says.
“What the hell? I’m nobody.”
“It’s not you. It’s who you know,” says Ms. Cox.
The cyberattack on the 15-person company near Salem, Ore.,
which works with utilities and government agencies, was an early thrust in the
worst known hack by a foreign government into the nation’s electric grid. It
set off so many alarms that U.S. officials took the unusual step in early 2018
of publicly blaming the Russian government.
A reconstruction of the hack reveals a glaring vulnerability
at the heart of the country’s electric system. Rather than strike the utilities
head on, the hackers went after the system’s unprotected underbelly—hundreds of
contractors and subcontractors like All-Ways who had no reason to be on high
alert against foreign agents. From these tiny footholds, the hackers worked
their way up the supply chain. Some experts believe two dozen or more utilities
ultimately were breached.
The scheme’s success came less from its technical
prowess—though the attackers did use some clever tactics—than in how it
exploited trusted business relationships using impersonation and trickery.
The hackers planted malware on sites of online publications
frequently read by utility engineers. They sent out fake résumés with tainted
attachments, pretending to be job seekers. Once they had computer-network
credentials, they slipped through hidden portals used by utility technicians,
in some cases getting into computer systems that monitor and control
electricity flows.
The Wall Street Journal pieced together this account of how
the attack unfolded through documents, computer records and interviews with
people at the affected companies, current and former government officials and
security-industry investigators.
The U.S. government hasn’t named the utilities or other
companies that were targeted. The Journal identified small businesses such as
Commercial Contractors Inc., in Ridgefield, Wash., and Carlson Testing Inc., in
Tigard, Ore., along with big utilities such as the federally owned Bonneville
Power Administration and Berkshire Hathaway ’s PacifiCorp. Two of the energy
companies targeted build systems that supply emergency power to Army bases.
The Russian campaign triggered an effort by the Federal
Bureau of Investigation and Homeland Security to retrace the steps of the
attackers and notify possible victims. Some companies were unaware they had
been compromised until government investigators came calling, and others didn’t
know they had been targeted until contacted by the Journal.
“What Russia has done is prepare the battlefield without
pulling the trigger,” says Robert P. Silvers, former assistant secretary for
cyber policy at Homeland Security and now a law partner at Paul Hastings LLP.
The press office at the Russian Embassy in Washington didn’t
respond to multiple requests for comment. Russia has previously denied
targeting critical infrastructure.
Early victims
In the summer of 2016, U.S. intelligence officials saw signs
of a campaign to hack American utilities, says Jeanette Manfra,
assistant secretary of Homeland Security’s cybersecurity and communications
program. The tools and tactics suggested the perpetrators were Russian.
Intelligence agencies notified Homeland Security, Ms. Manfra
says.
In December 2016, an FBI agent showed up at a low-rise
office in Downers Grove, Ill., less than an hour west of Chicago. It was home
to CFE Media LLC, a small, privately held company that publishes trade journals
with titles such as “Control Engineering” and “Consulting-Specifying Engineer.”
TOOLS OF THE TRADE
In cyberattacks against U.S. power utilities, Russian
hackers stole employee credentials to gain access to corporate systems, U.S.
officials say.
·
Spearphishing: Hackers
sent emails with malicious links or attachments that helped steal the
recipient’s credentials.
·
Watering-Hole
Attacks: Hackers planted malicious code on trusted websites such as trade
publications that they hoped their targets would visit. The code recorded
visitors’ confidential information.
·
Remote
Access: With the stolen credentials, the hackers used virtual private
networks and remote desktop programs to stay hidden and maintain access to
internal networks.
Source:
Department of Homeland Security
According to a CFE email, the agent told employees that
“highly sophisticated individuals” had uploaded a malicious file onto the
website for Control Engineering. The agent warned it could be used to launch
hostile actions against others.
Steve Rourke, CFE Media’s co-founder, says his company took
steps to fix the infected site. Before long, though, attackers laced other CFE
Media trade publications with malicious content, according to security
researchers at Accenture ’s iDefense unit and RiskIQ, a San Francisco cybersecurity company, who later
analyzed details of the attack.
Like lions pursuing prey at a watering hole, the hackers
stalked visitors to these and other trade websites, hoping to catch engineers
and others and penetrate the companies where they worked. The Russians could
potentially take down “anybody in the industry,” says RiskIQ
researcher Yonathan Klijnsma.
By planting a few lines of code on the websites, the
attackers invisibly plucked computer usernames and passwords from unsuspecting
visitors, according to government briefings on the attack and security experts
who have reviewed the malicious code. That tactic enabled the Russians to gain
access to ever more sensitive systems, said Homeland Security officials in
industry briefings last year.
Mr. Vitello of All-Ways Excavating has no idea how the
hackers got into his email account. He doesn’t recall reading CFE’s websites or
clicking on tainted email attachments. Nonetheless, the intrusion was part of
the Russian campaign, according to the security companies that studied the
hack.
On March 2, 2017, the attackers used Mr. Vitello’s account
to send the mass email to customers, which was intended to herd recipients to a
website secretly taken over by the hackers.
The email promised recipients that a document would download
immediately, but nothing happened. Viewers were invited to click a link that
said they could “download the file directly.” That sprang the trap and took
them to a website called imageliners.com.
The site, registered at the time to Matt Hudson, a web
developer in Columbia, S.C., was originally intended to allow people to find
contract work doing broadcast voice-overs but was dormant at the time. Mr.
Hudson says he had no idea Russians had commandeered his site.
The day the email went out—the same day Mr. Vitello’s office
phone lighted up in Oregon—activity on the voice-over site surged, with
computers from more than 300 IP addresses reaching out to it, up from only a
handful a day during the prior month. Many were potential victims for the
hackers. About 90 of the IP addresses—the codes that help computers find each
other on the internet—were registered in Oregon, a Journal analysis found.
It isn’t clear what the victims saw when they landed on the
hacked voice-over site. Files on the server reviewed by the Journal indicate
they could have been shown a forged login page for Dropbox, a cloud-based
service that allows people to share documents and photos, designed to trick
them into turning over usernames and passwords. It also is possible the hackers
used the site to open a back door into visitors’ systems, giving them control
over their victims’ computers.
Once Mr. Vitello realized his email had been hijacked, he
tried to warn his contacts not to open any email attachments from him. The
hackers blocked the message.
All-Ways Excavating is a government contractor and bids for
jobs with agencies including the U.S. Army Corps of Engineers, which operates
dozens of federally owned hydroelectric facilities.
Some two weeks later, the attackers again used Mr. Vitello’s
account to send a barrage of emails.
One went to Dan Kauffman Excavating Inc., in Lincoln City,
Ore., with the subject line: “Please DocuSign Signed Agreement—Funding
Project.”
Office manager Corinna Sawyer thought the wording was
strange and emailed Mr. Vitello: “Just received this from your email, I assume
you have been hacked.”
Back came a response from the intruders who controlled Mr.
Vitello’s account: “I did send it.”
Ms. Sawyer, still suspicious, called Mr. Vitello, who told
her the email, like the earlier one, was fake.
The attack spreads
One company that got one of the bogus emails was a small
professional-services firm in Corvallis, Ore. That July, FBI agents showed up
there, telling employees their system had been compromised in a “widespread
campaign” targeting energy companies, according to the company owner.
After receiving Mr. Vitello’s first bogus email on March 2,
a subsequent Homeland Security investigative report says, an employee at the
Corvallis firm clicked on the link leading to the hacked voice-over site. She
was prompted to enter a username and password. By day’s end, the cyber operatives
were in her company’s network, according to the report, which hasn’t been made
public but was reviewed by the Journal.
They then cracked open a portal in the company’s firewall,
which separates sensitive internal networks from the internet, and created a
new account with broad, administrative access, which they hid from view.
“We didn’t know about it or catch it,” says the company’s
owner.
In June 2017, the hackers used the Corvallis company’s
systems to go hunting. Over the next month, they accessed the Oregon company’s
network dozens of times from computers with IP addresses registered in
countries including Turkey, France and the Netherlands, targeting at least six
energy firms.
In some cases, the attackers simply studied the new targets’
websites, possibly as reconnaissance for future strikes. In other instances,
the investigative report indicates, they may have gained footholds inside their
victims’ systems.
Two of the targeted companies had helped the Army create
independent supplies of electricity for domestic bases.
On June 15, hackers visited the website of ReEnergy Holdings LLC. The renewable-energy company had
built a small power plant that allows Fort Drum in western New York to operate
even if the civilian power grid collapses. Fort Drum is the home of one of the
Army’s most frequently deployed divisions and is under consideration to be the
site of a $3.6 billion interceptor system to defend the East Coast from intercontinental
ballistic missiles.
ReEnergy, owned by private-equity
investor Riverstone Holdings LLC, suffered an intrusion but its generating
facilities weren’t affected, says one person familiar with the matter. The Army
was aware of the incident, said a spokesman, who declined to provide additional
details.
That same day, the hackers began hitting the website of
Atlantic Power Corp. , an independent power producer
that sells electricity to more than a dozen utilities in eight states and two
Canadian provinces. In addition to downloading files from the site, the
attackers visited the company’s virtual private network login page, or VPN, a
gateway to the firm’s computer systems for people working remotely, the report
says.
Atlantic Power said in a written statement it regularly
encounters malicious acts but doesn’t comment on specifics. “To our knowledge,
there has never been a successful breach of any of the company’s systems,” it
said.
Around midnight that June 28, the hackers used the Corvallis
company’s network to exchange emails with a 20-person carpentry company in
Michigan called DeVange Construction Inc. The emails
appeared to come from an employee called Rick Harris—a persona fabricated by
the attackers.
DeVange Construction’s systems
already may have been compromised. Applications to energy companies from
nonexistent people seeking industrial-control systems jobs came from DeVange email addresses, according to security experts and
emails reviewed by the Journal. Bogus résumés were attached—tweaked to trick
recipients’ computers into sending login information to hacked servers.
The Journal identified at least three utilities that
received the emails: Washington-based Franklin PUD, Wisconsin-based Dairyland
Power Cooperative and New York State Electric & Gas Corp. All three say
they were aware of the hacking campaign but don’t believe they fell victim to
it.
A DeVange employee says federal
agents visited the company. The company’s owner, Jim Bell, declined to discuss
the incident.
That June 30, the hackers sought remote access to an Indiana
company that, like ReEnergy, installs equipment to
allow government facilities to operate if the civilian grid loses power. That
company, Energy Systems Group Ltd. of Newburgh, Ind., a unit of Vectren Corp. , declines to say whether it was hacked but says it
has a robust focus on cybersecurity.
The company’s website says one of its customers is Fort
Detrick, an Army base in Maryland with a complex of laboratories that defend
the nation against biological weapons. Fort Detrick referred questions to Army
officials, who said they take cybersecurity seriously but declined to comment
further.
As the summer of 2017 wore on, the attackers took aim at
companies that help utilities manage their computer control systems. On July 1,
the attackers used the Corvallis company to attack two English companies, Severn
Controls Ltd. and Oakmount Control Systems Ltd. Next,
they attacked Simkiss Control Systems Ltd. also in
England, and accessed “account and control system information,” according to
the government report.
Simkiss’s website says it markets
tools that allow technicians to have remote access to industrial control
networks. Among its customers are big electrical equipment makers and utilities
including National Grid , which runs electric
transmission lines in Britain and parts of the U.S., where it owns utilities in
New York, Rhode Island and Massachusetts.
Oakmount, Severn and Simkiss declined to comment, and National Grid says its
cybersecurity processes are “aligned with industry best practice.”
By that fall, the hackers returned to Dan Kauffman
Excavating in Oregon, breaching its network on Sept. 18, according to the firm.
They appeared to lurk quietly for a month. Then, on the night of Oct. 18,
emails blasted out to roughly 2,300 of the company’s contacts. The message
said, “Hi, Dan used Dropbox to share a folder with you!” and contained a link
that said, “View folder.”
Among the recipients: employees of PacifiCorp, a multistate
utility; the Portland, Ore.-based Bonneville Power Administration, which runs
75% of the Pacific Northwest’s high-voltage transmission lines, and the Army
Corps of Engineers.
Federal officials say the attackers looked for ways to
bridge the divide between the utilities’ corporate networks, which are
connected to the internet, and their critical-control networks, which are
walled off from the web for security purposes.
The bridges sometimes come in the form of “jump boxes,”
computers that give technicians a way to move between the two systems. If not
well defended, these junctions could allow operatives to tunnel under the moat
and pop up inside the castle walls.
In briefings to utilities last summer, Jonathan Homer,
industrial-control systems cybersecurity chief for Homeland Security, said the
Russians had penetrated the control-system area of utilities through poorly
protected jump boxes. The attackers had “legitimate access, the same as a
technician,” he said in one briefing, and were positioned to take actions that
could have temporarily knocked out power.
PacifiCorp says it takes a multilayered approach to risk
management and that it wasn’t compromised by any attack campaigns.
Gary Dodd, Bonneville’s chief information security officer,
says he doesn’t believe his utility was breached, though it appears to have
received suspicious emails from both All-Ways Excavating and Dan Kauffman
Excavating. “It’s possible something got in, but I really don’t think so,” he
says.
The Army Corps says it doesn’t comment on cybersecurity
matters.
Going public
The U.S. government warned the public about the hacking
campaign in an October 2017 advisory. It attributed it to a shadowy group,
sometimes called Dragonfly or Energetic Bear, that security researchers have
tied to the Russian government.
In March 2018, the U.S. went further, releasing a report
that pinned responsibility for the hostile activities on “cyber actors” working
for the Russian government, saying they had been active since at least March
2016. Governments generally have shied away from naming countries involved in
cyberattacks, not wanting divulge what they know.
In April 2018, the FBI notified at least two companies by
letter that they appeared to have received malicious emails from All-Ways
Excavating’s Mr. Vitello.
One was Commercial Contractors of Ridgefield, Wash., which
helped renovate an office for the Bonneville Power Administration. Eric Money,
the company’s president, says employees thought they had resisted the tainted
emails. But the Journal found that a computer with an IP address linked to the
company visited Mr. Hudson’s hacked voice-over site the day of the attack.
The other company notified by the FBI, Carlson Testing of
Tigard, Ore., has done work for utilities including Portland General Electric,
PacifiCorp, Northwest Natural Gas and the Bonneville Power Administration.
Vikram Thakur, technical director of security response for
Symantec Corp. , a California-based cybersecurity
firm, says his company knows from its utility clients and from other security
firms it works with that at least 60 utilities were targeted, including some
outside the U.S. About two dozen were breached, he says, adding that hackers
penetrated far enough to reach the industrial-control systems at eight or more
utilities. He declined to name them.
The government isn’t sure how many utilities and vendors in
all were compromised in the Russian assault.
Vello Koiv,
president of VAK Construction Engineering Services in Beaverton, Ore., which
does subcontracting for the Army Corps, PacifiCorp, Bonneville and Avista Corp. , a utility in
Spokane, Wash., says someone at his company took the bait from one of the
tainted emails, but his computer technicians caught the problem, so “it was
never a full-blown event.” Avista says it doesn’t
comment on cyberattacks.
Mr. Koiv says he continued to get
tainted emails in 2018. “Whether they’re Russian or not, I don’t know. But
someone is still trying to infiltrate our server.”
Last fall, All-Ways Excavating was again hacked.
Industry experts say Russian government hackers likely
remain inside some systems, undetected and awaiting further orders.
—Lisa Schwartz
contributed to this article.
—Graphics by Joel
Eastwood and Angela Calderon
Write to Rebecca Smith
at rebecca.smith@wsj.com and Rob Barry at rob.barry@wsj.com
Appeared in the January 11, 2019, print edition as 'Russian Hack Exposes Weakness in U.S. Power Grid.'