Two large-scale blackouts in Ukraine caused by Russian cyberattacks in 2015 and 2016 showed just how systems once thought off limits to attackers could be exploited. Grid hacking however takes on many forms though, making probing of US critical infrastructure all the more alarming.
Researchers from FireEye noted that while the US grid is relatively well-defended, and difficult to hit with a full-scale cyber-attack, Russian actors are still ongoing with a campaign to infiltrate it.
“There’s still a concentrated Russian cyber espionage campaign targeting the bulk of the US electrical grid,” says FireEye analyst Alex Orleans says. “
FireEye calls the Russia-linked hacking group that has been targeting the US grid “TEMP.Isotope.” It’s also known as Dragonfly 2.0, or Energetic Bear. The group mostly uses generic hacking tools, like those of the threat actor APT10 and techniques created by other actors. But TEMP.Isotope has also created at least one custom system backdoor, and often uses spearphishing and infected websites to compromise targets. And the group has brought these tools to bear against the US grid in a patient and methodical way.
In many ways, TEMP.Isotope’s actions are in the interest not of triggering large-scale blackouts, but of traditional intelligence-gathering. The group seems to deliver information that can be used both to expand Russian energy capabilities and to vet US systems for weaknesses that could potentially be exploited in attacks. But the FireEye researchers point out that the canvassing also serves other more subtly aggressive counterintelligence goals as well. FireEye researchers say Russian state-sponsored hackers are the ones to watch in the US grid.