Unknown hackers have gained near-total control over some US power generation companies

Hacker takeovers of power infrastructure have been seen in Ukraine (where they are reliably attributed to Russian state actors), but now the US power-grid has been compromised by hackers of unknown origin, who have "switch-flipping" control — that is, they can just turn it all off.

Today, Symantec published research showing that a group they've dubbed Dragonfly 2.0 has gained access to more than 20 power companies' networks in the US and Europe; a "handful" of the US companies are so compromised that the hackers can just turn off the power at will (a Turkish power company is similarly compromised).

Symantec found some signs connecting the hackers to Russia, but these are far from conclusive and may be deliberate, misleading cues. The hackers used known vulnerabilities, not "zero days," to gain access. Though they have sunk deep hooks into the power companies' systems, they have thus far been dormant, and have not interfered with the systems (yet).

Symantec says it has rooted the hackers out of the most deeply compromised systems, and has warned other power companies to be on the alert.

Those attacks were designed to harvest credentials from victims and gain remote access to their machines. And in the most successful of those cases, including several instances in the US and one in Turkey, the attackers penetrated deep enough to screenshot the actual control panels for their targets' grid operations—what Symantec believes was a final step in positioning themselves to sabotage those systems at will. "That's exactly what you'd do if you were to attempt sabotage," he says. "You'd take these sorts of screenshots to understand what you had to do next, like literally which switch to flip."

And if those hackers did gain the ability to cause a blackout in the US, why did they stop short? Chien reasons that they may have been seeking the option to cause an electric disruption but waiting for an opportunity that would be most strategically useful—say, if an armed conflict broke out, or potentially to issue a well-timed threat that would deter the US from using its own hacking capabilities against another foreign nation's critical infrastructure. "If these attacks are from a nation state," Chien says, "one would expect sabotage only in relation to a political event."


[Andy Greenberg/Wired]

(Image: pondhawk, CC-BY)