Skilled foreign hackers who’ve penetrated the computer networks of U.S. power companies or oil and gas firms were mostly looking to steal data, rather than shut down the electric grid or cause other damage to vital industries, Department of Homeland Security analysts say in a newly leaked report.
The report says that some “advanced persistent threat,” or APT, hacking groups — generally a euphemism for skilled teams with nation-state resources behind them — have sought to establish a persistent presence on the special computer networks that control power generators, refineries and pipelines. But this, says the report, “likely is part of nation-state contingency planning, to be implemented … in the event of hostilities with the U.S.”
“We assess the threat of a damaging or disruptive cyber attack against the U.S. energy sector is low,” concludes the report — an unclassified all-source intelligence assessment issued to the private sector at the end of January, but only posted this week by the transparency site Public Intelligence.
The report follows a widespread six-hour power cut in parts of Ukraine just before Christmas, which independent security researchers attributed to a cyberattack, likely carried out by hackers working for or on behalf of the Russian military or intelligence services. But the assessment contains only very preliminary or sketchy information about that incident, in which the same kind of special networks — called industrial control systems, or ICS — were attacked.
“Due to limited authoritative reporting,” the assessment states, its authors are “unable to confirm the event was triggered by cyber means.”
However, malware samples provided by Ukrainian authorities were a variant of an attack package specially designed to penetrate ICS networks, says the report. “The variant provided by the Ukrainian Government has the capability to enable remote access and delete computer content, including system drives,” the authors add, concluding “The attacks are consistent with our understanding of Moscow’s capability and intent, including observations of cyber operations during regional tensions.’
The attack however “does not represent an increase in the threat of a disruptive or destructive attack on U.S. energy infrastructure.