According to a June 2017 joint report issued by the Department of Homeland Security (“DHS”) and the Federal Bureau of Investigation (“FBI”), hackers penetrated the computer networks of at least a dozen U.S. power plants beginning in May. The report carried an amber warning, the second-highest level of urgency for these types of reports. There is no indication that hackers breached the control systems of any facility, but the report concluded that the apparent goal was to map out computer networks for future attacks.
Among the facilities targeted was the Wolf Creek Nuclear Operating Corporation’s nuclear power plant located near Burlington, Kansas. Wolf Creek officials declined to comment about the cyberattacks, but stated that their business-side network and internet are separate from the plant’s network, and that no plant operations systems had been affected by the breach. Nuclear facilities must report cyberattacks related to their “safety, security, and operations;” no such reports were made by Wolf Creek or any other power plant related to these recent attacks.
The hackers used a variety of methods to gain entry into the networks. In most cases, the attacks targeted industrial control engineers with direct access to plant systems. Such systems, if damaged, could cause explosions, fires, or spills of dangerous material. The hackers electronically sent engineers fake resumes laced with malicious code that allowed the hackers to steal the engineers’ credentials and access other machines in the network. In addition, the hackers employed so-called “watering hole attacks,” compromising legitimate websites frequented by their targets, as well as “man-in-the-middle attacks,” in which the targets’ internet traffic was redirected through the hackers’ machines.
The origins of the hackers have not been confirmed, but the DHS-FBI report indicated that an “advanced persistent threat actor”—typically, government-backed hackers—was responsible. Notably, the hackers’ techniques mimicked those of the organization called “Energetic Bear,” a Russian hacking group tied to attacks on the energy sector since as early as 2012.