Russian interference in the U.S. political process has received outsized attention since 2016, but another aspect of the country’s cyber espionage campaign against America is ongoing, consistent attacks against the electrical grid.
A November report from Wired outlines the issue:
At the CyberwarCon forum in Washington, DC on Wednesday, researchers from threat intelligence firm FireEye noted that while the US grid is relatively well-defended, and difficult to hit with a full-scale cyberattack, Russian actors have nonetheless continued to benefit from their ongoing vetting campaign.
"There’s still a concentrated Russian cyber espionage campaign targeting the bulk of the US electrical grid," says FireEye analyst Alex Orleans says. "The grid is still getting hit."
FireEye calls the Russia-linked hacking group that has been targeting the US grid "TEMP.Isotope." It's also known as Dragonfly 2.0, or Energetic Bear. The group mostly uses generic hacking tools and techniques created by other actors—a strategy known as "living off the land"—to minimize development time and costs, while also making it harder to identify and track its movements. But TEMP.Isotope has also created at least one custom system backdoor, and often uses spearphishing and infected websites to compromise targets. And the group has brought these tools to bear against the US grid in a patient and methodical way.
Wired noted that America’s infrastructure does have protections in place, having “implemented resilience and defense standards known as the North American Electric Reliability Corporation Critical Infrastructure Protection requirements, more digestibly referred to as NERC CIP”, after the 2003 Northeastern blackout.
But major blackouts are not the only possible goal of foreign hackers: they are likely trying to “sow discord, confusion, and fatigue”.
"All of this threat activity you see from actors like Isotope requires defensive responses from incident responders, threat intelligence within a given organization, all the way up to potentially governments," Orleans says. "So you have this ripple upward and outward. And this counterintelligence is for the purpose of frustrating your adversary. Utilities are the adversary for active threat Isotope, so wearing them down through activity, creating anxiety, fulfills what is in counterintelligence terminology known as 'degradation.'"
FireEye researchers warned that such lower-level attacks should be taken as seriously as more dramatic aggression:
"The most consistent people are likely the Russians," Orleans says. "And I also think we likely haven’t fully uncovered the extent to which they have gotten into the wires."