In May, we wrote about President Trump’s “Securing the United States Bulk-Power System” executive order. The order directed the Department of Energy to take steps to defend the U.S. bulk-power system against attacks – cyber and otherwise. The action didn’t come a moment too soon. Why? Because Russia’s GRU military intelligence agency was behind a series of cyberattacks targeting U.S. government agencies and critical infrastructure.
We now know that a hacker group within the GRU known as APT28 (or Fancy Bear) carried out the attacks between December 2018 until at least May of this year. How do we know this? The FBI recently sent notifications to the victims of the attacks. And, according to this outreach from the FBI, most of the attacks were attempts to break into U.S Government email servers and Microsoft Office 365 accounts. The cyberspies also left “breadcrumbs,” revealing that they targeted the U.S. energy sector too. Intrusions such as these attacks on the energy sector, particularly our power grid, represent a significant change in direction for APT28.
“Just given what we understand about how APT28 operates and its typical victimology, identifying that group interacting with the U.S. energy sector would be substantially different from how this group has behaved previously,” says Joe Slowik, the security researcher who spotted the connection between the DOE advisory and the FBI victim notification.
While attacking energy infrastructure seems to be a new undertaking for APT28, GRU as a whole has carried out such attacks before. For example, the closely related GRU hacker group Sandworm planted malware in the U.S. electric grid in 2014. The group went on to carry out the world’s first cyberattack induced blackouts in Ukraine in 2015 and 2016. If APT28 is indeed scoping out U.S. energy infrastructure, we should be more than a little concerned. Unfortunately, it remains unclear what the goal of GRU’s snooping might be.
“This is a concerning data point,” Slowik says. “It’s the first time in a while that this group has targeted U.S. critical infrastructure.”
That’s why President Trump’s May 1st directive doesn’t come at a moment too soon. The president’s executive order prohibits federal agencies from procuring products for the bulk power system from vendors deemed subject to foreign adversaries’ influence. The order also gives the Secretary of Energy the new responsibility to identify weaknesses in our existing system and create a list of “pre-qualified” safe vendors. Well-known companies like Hitachi ABB Power Grids, Southern Company, and American Electric Power have already joined the Asset to Vendor Network.
The Asset to Vendor network allows vendors to quickly and seamlessly share information about their cybersecurity preparedness with U.S. and Canadian electric utilities. Having access to an extensive network of companies will simplify the process of complying with cybersecurity protocols. Hopefully, these actions are a step in the right direction to keep our power grid secure.
The U.S. power grid is an essential part of our day-to-day lives because it delivers affordable and reliable energy. While we don’t yet know the motivations behind these attacks, the U.S. energy industry should be commended for taking action to ensure that our power grid remains safe and secure.