Since 23rd December 2015, the threat from global energy hackers has been real and persistent. In 2016 cybercrime cost the world more than $450 bn. The recent GCHQ memo warning that the UK has probably been compromised brings it home.
Two years ago, just before Christmas, power to 230,000 homes and businesses was cut. According to wired.com, a hapless operator at the Prykarpattyaoblenergo control centre in Western Ukraine watched as the cursor on his computer screen suddenly took on a life of its own, shutting down circuit breakers and turning off thousands of lights. When he tried frantically to stop it, it locked him out and carried on. Though power was restored within six hours, the disruption lasted months because the hackers disabled the computer systems, forcing workers to manually control breakers.
The country was hit a second time, a year later. According to insiders, it started with a phishing attack with a malicious email attachment that would have been opened “with no doubts because it was so relevant and crafted so carefully.” It even came from a trusted source.
Though the fallout wasn’t as widespread, experts believe that Ukraine is now being used as a testbed for hackers developing their skills to take on critical infrastructure elsewhere in the world. Marina Krotofil a Ukrainian researcher with Honeywell Industrial Cyber Security Lab who helped with the investigation into the attack, told Motherboard.vice.com: “The attack [was] not meant to have any lasting dramatic consequences. They could do many more things, but obviously they didn’t have this as an intent. It was more like a demonstration of capabilities.”
Though they may physically remain in the same small dark room the attackers are on the move. There has been a wave of attacks affecting the US and the West in recent months. The Department of Homeland Security and the FBI warned that since May, at least 18 US-based nuclear and energy companies have been receiving phishing emails, in a bid to harvest credentials. The agencies did not name names, but confirmed that the hackers had got through in some instances. Reuters.com says in order to get the access to certain systems, the criminals gathered information about the individuals they needed, so they could send ‘decoy documents’ with relevant topics to them. Anonymous sources told The Independent that the chief suspect is Russia.
Earlier this month The Times reported that a group “understood to have ties to the Kremlin’s GRU intelligence agency” attacked the Republic of Ireland’s energy sector. They saw the same modus operandi: surveillance-led or spear phishing emails containing malicious software was sent to staff. Then later it was revealed the UK was also under attack.
A leaked memo seen by Motherboard from the GCHQ subsidiary the National Cybersecurity Council said it had spotted connections “from multiple UK IP addresses to infrastructure associated with advanced state-sponsored hostile threat actors, who are known to target the energy and manufacturing sectors.” It went on: “NCSC believes that due to the use of wide-spread targeting by the attacker, a number of industrial control system engineering and services organisations are likely to have been compromised. We are aware of reports of malicious cyber-activity targeting the energy sector around the globe … We are liaising with our counterparts to better understand the threat and continue to manage any risks to the UK.”
Though there is no indication that the hackers have done anything with the access they’ve gained, it’s feared they may be gearing up for a major attack – and testing what the reaction will be. The US authorities said what concerned them most was the ‘persistence’ of the attacks, seen as evidence that criminals are locating ‘backdoors’ to systems to access at a later date. Galina Antova, co-founder of Claroty which specialises in securing industrial control systems told The Independent: “If you think about a typical war, some of the acts that have been taken against critical infrastructure in Ukraine and even in the US, those would be considered crossing red lines.”