Report Highlights The Crazy Lengths Hackers Took To Hack US Utilities

Russian hackers went to shocking and elaborate lengths to wriggle their way into the United States’ electrical grid, according to a Wall Street Journal report Friday that detailed a slew of new hacking techniques.

Hackers targeted government contractors connected to a public utility company in Oregon to access the country’s electric grid, the report notes. Some of the contractors were unaware that they were victimized due to the exotic tactics’ hackers used to disguise their intentions.

The scheme’s success is owed mostly to how it exploited trusted business relationships using impersonation and trickery. Hackers planted malware on sites utility engineers frequently visit and sent phony résumés with tainted attachments. After getting credentials, they then slipped through portals and gained access to computer systems that monitor and control electricity flows.

TheWSJ’s report identified government contractors such as Commercial Contractors, in Washington, and Carlson Testing, in Oregon, among other big-name public utilities who were targeted in 2017. One of the cites contractors visited cleaned out malicious malware from its domains in 2016 only to see hackers return and infect the system again.

Hackers seized on unsuspecting visitors and other trade websites, hoping to lure engineers and penetrate the companies where they worked. The Russians could potentially take down “anybody in the industry,” researcher Yonathan Klijnsma told WSJ reporters.

Mike Vitello of Oregon-based construction company, All-Ways Excavating, told reporters that he doesn’t recall reading websites or clicking on tainted email attachments. The intrusion was part of the Russian campaign, according to the security companies that studied the hack.

All-Ways Excavating is a government contractor and bids for jobs with agencies including the U.S. Army Corps of Engineers, which operates government-owned hydroelectric facilities. Attackers used Vitello’s account to send mass emails to customers.

One email went to another Oregon-based company called Dan Kauffman Excavating – the subject line read: “Please DocuSign Signed Agreement—Funding Project.” But the memo set off warning signals.

“Just received this from your email, I assume you have been hacked.,” Office manager Corinna Sawyer said in an email to Vitello, who maintains he never visited any of the infected sites nor does he remember clicking on any dodgy links. She received an ominous and cryptic response from his account: “I did send it.”

Sawyer suspected something was wrong, so she called Vitello, who told her the email was fake. Analysts believe the covert style of attack was the first of its kind. “What Russia has done is prepare the battlefield without pulling the trigger,” Robert Silvers, a former cyber policy expert at Homeland Security, told reporters.

WSJ’s report comes amid government warnings in 2018 warning that the U.S. would be unprepared in the event of a power outage.

The Department of Homeland Security noted in July of 2018 that Russia’s military intelligence agency had infiltrated the control rooms of power plants across the United States. There is no evidence that the hackers tried to take over the plants, as Russian actors did in Ukraine in 2015 and 2016.