Russian hackers initiated a complex plan to hack the US Electric grid by targeting a small construction company, All-Ways Excavating USA, located in Salem, Oregon. The company is a “government contractor and bids for jobs with government agencies including the U.S. Army Corps of Engineers, which operates dozens of federally owned hydroelectric facilities.”
This hacking resulted in the worst known attack on America’s power grid to date, which ultimately involved small companies in 24 states, Canada and the U.K.
Here’s how it began:
All-Ways Excavating employee Mike Vitello arrived to work on the morning of March 2, 2017, to find dozens of customers had called regarding the agreement he wanted signed. What agreement?
The purpose of the email was to steer recipients to a website which was secretly controlled by the hackers.
The email promised recipients that a document would download immediately, but nothing happened. Viewers were invited to click a link that said they could “download the file directly.” That sprang the trap and took them to a website called imageliners.com, which was registered at the time to Matt Hudson, a web developer in Columbia, S.C.
Once Mr. Vitello realized his email had been hijacked, he tried to warn his contacts not to open any email attachments from him. The hackers blocked his message.
One went to Dan Kauffman Excavating Inc., in Lincoln City, Ore., with the subject line: “Please DocuSign Signed Agreement—Funding Project.”
Office manager Corinna Sawyer thought the wording was strange and emailed Mr. Vitello: “Just received this from your email, I assume you have been hacked.”
Back came a response from the intruders who controlled Mr. Vitello’s account: “I did send it.”
Ms. Sawyer, still suspicious, called Mr. Vitello, who told her the email, like the earlier one, was fake.
An employee of another company that had received the email, unfortunately, did open the attachment, and the attack spread from there.
A DHS investigator said the hackers searched for ways to bridge the divide between the utilities’ corporate networks, which are connected to the internet, and their critical-control networks, which are walled off from the web for security purposes.”
The bridges sometimes come in the form of “jump boxes,” computers that give technicians a way to move between the two systems. If not well defended, these junctions could allow operatives to tunnel under the moat and pop up inside the castle walls.
In briefings to utilities last summer, Jonathan Homer, industrial-control systems cybersecurity chief for Homeland Security, said the Russians had penetrated the control-system area of utilities through poorly protected jump boxes. The attackers had “legitimate access, the same as a technician,” he said in one briefing, and were positioned to take actions that could have temporarily knocked out power.
Several months later, All-Ways Excavating received a visit from a team of Department of Homeland Security investigators who told them their website had been hacked and that they needed to examine the company’s computers. Investigators told Vitello they believed the hackers were Russian and their reason for hacking All-Ways was to gain access to their customers, who were utilities and government agencies, and that their ultimate goal was to infiltrate the US Electric Grid.
A reconstruction of the hack reveals a glaring vulnerability at the heart of the country’s electric system. Rather than strike the utilities head on, the hackers went after the system’s unprotected underbelly—hundreds of contractors and subcontractors like All-Ways who had no reason to be on high alert against foreign agents. From these tiny footholds, the hackers worked their way up the supply chain. Some experts believe two dozen or more utilities ultimately were breached.
The scheme’s success came less from its technical prowess—though the attackers did use some clever tactics—than in how it exploited trusted business relationships using impersonation and trickery.
The hackers planted malware on sites of online publications frequently read by utility engineers. They sent out fake résumés with tainted attachments, pretending to be job seekers. Once they had computer-network credentials, they slipped through hidden portals used by utility technicians, in some cases getting into computer systems that monitor and control electricity flows.
The Wall Street Journal pieced together this account of how the attack unfolded through documents, computer records and interviews with people at the affected companies, current and former government officials and security-industry investigators.
The full article, which reconstructs the entire trail followed by the hackers and explains the methods used was written by Wall Street Journal writers Rebecca Smith and Rob Barry. It is detailed and therefore, very lengthly, but it is fascinating and can be read here.
Most companies had no idea they had been hacked.
The fact that a foreign agent was able to hack into the “companies responsible for the US electric grid, gaining technical abilities to shut it down” is frightening. All it takes is for one unsuspecting employee to click on a link to compromise a company’s computer network. And once that happens, it’s simply a matter of time before companies they deal with to become compromised.
Industry experts say Russian government hackers likely remain inside some systems, undetected and awaiting further orders. Great.