Russia blamed in energy hacks
Cyberattacks likely targeted Houston firms’ grids, networks
Federal authorities on Thursday blamed the Russian government for a two-year surge in cyberattacks against U.S. energy companies, an unprecedented rebuke of the Kremlin for an online assault that threatens energy companies in Houston and across the nation.
Since early 2016, hackers backed by Moscow have targeted small commercial facilities to stage multiple attacks on U.S. energy networks, sending companies malwarelaced emails in an effort to penetrate vital control systems that run energy facilities, the Department of Homeland Security and the Federal Bureau of Investigations said in a joint statement.
Officials provided few details, but analysts said the attackers almost certainly targeted companies in Houston, home to major refineries, chemical plants, pipeline companies and oil and gas producers.
“With Houston being the energy capital of the world, if you want to disrupt operations in the U.S., this would be the place to attack,” said Steve Mustard, cybersecurity committee chair of the Automation Federation, a manufacturing trade group.
Homeland Security refused to disclose the names of companies hit by cyberattacks, which included firms that operate oil and gas facilities, nuclear power plants, water treatment plants, aviation systems and manufacturing sites. Government entities were targeted, as well.
The Russian hacking campaign, orchestrated by a group known as Dragonfly, in several cases infiltrated workstations and servers on corporate networks linked to systems that control the production and flow of energy, the U.S. agencies said. After gaining a foothold in the networks, the hackers began surveillance on the operations, collecting data and copying information for accessing systems that operate thousands of functions at power plants, refineries, pipelines and petrochemical facilities.
The FBI and Homeland Security began studying the attacks early last year, finding the hackers targeted third-party suppliers and other smaller companies, which typically lack strong network protections, By infiltrating a smaller company’s network, a hacker could glean information to stage an attack on a larger company, such as by finding the email of a suitable target or credentials that could grant access to systems shared with a larger company at a plant.
The hackers, the federal agencies said, employed spear-phishing emails that appear to come from a reputable source and phony websites with virus-laced links to infiltrate corporate networks. Some spear-phishing emails, for example, used infected Microsoft Word documents disguised as resumes for industrial control system workers. The attackers sent these infected emails both directly to larger companies and to smaller companies.
That U.S. authorities identified the Russian government as the culprit behind the attacks underscores the weight of the evidence against Moscow. It’s the first time the U.S. government has explicitly blamed Russia for the hacking campaign, which is notoriously difficult to prove, analysts said.
Also Thursday, the Trump administration imposed sanctions on 19 Russians it says were involved in meddling in the 2016 U.S. presidential election, including 13 Russians indicted in February for election interference as part of the investigation of special counsel Robert Mueller.
“That’s a big deal,” said Richard Parker, a cybersecurity consultant in Houston. “It’s adding fuel to the fire to show that nation-states are using their cyber powers in all kinds of ways.”
U.S. energy companies reported more than 350 cybersecurity incidents between 2011 and 2015, most of them aimed at trying to infiltrate systems that control pipelines, refineries, electric transmission, oil and gas production and other operations, according to Homeland Security. During that period, the agency found nearly 900 cyber security vulnerabilities in U.S. energy control systems, more than any other industry.
In response to such attacks, analysts said, large oil companies have improved cybersecurity technology and practices, becoming more sophisticated in thwarting online assaults than in previous years.
But small to midsized firms still lack the monitoring technology and personnel to block intrusions into their control systems, giving hackers the ability to spy on networks and control systems for months or even years without interruption, analysts said.
Those weak spots could lead to successful attacks against larger companies, which sometimes share network connections and computer systems with smaller, less protected companies. And without the ability to detect intrusions, companies can’t track how often they get hit by cyberattacks.
“They’re cognizant the risks are there, but do they have the funding to staff up and maintain a cybersecurity capability? I don’t see much change,” said Norman Comstock, managing director at the consulting and data analytics firm Berkeley Research Group in Houston. “Houston is certainly a hotbed of targets. And their assets are all over the world.”
In recent years, almost half of the cyberattacks against energy companies have gone unnoticed because of a lack of detection and monitoring technologies and personnel, according to a Ponemon Institute survey in early 2017 of almost 400 oil and gas workers who use operational technology in refineries, oil platforms, drilling rigs and pipelines.
More than two-thirds of the respondents said their companies had at least one security breach within the past year that involved stolen data or an operational disruption.
“There may be a rise in attacks,” Mustard said, “but most companies are so far behind the times they’re not even aware of it.”