News broke earlier this week in the Wall Street Journal that hackers working for Russia claimed “hundreds of victims” last year in an extensive, long-running campaign that put them inside the control rooms of US electric utilities – from where they could have caused blackouts. With the campaign of attacks said by the Department of Homeland Security (DHS) to be ongoing, cybersecurity expert Tim Helming offers his perspective on the story.

 

Known as Dragonfly or Energetic Bear, the group behind the attacks has been traced to Russia and is believed to be state-backed. Mr Helming, Director of Product Management at DomainTools, said that while the goals of nation-state actors are various, in the case of Russian cyber actions against the United States, it is known that among their chief aims is to “destabilise American institutions” and “to sow uncertainty and fear”.

 

Access by the hackers to the control rooms of many US suppliers could have enabled them to shut down networks and cause blackouts, US officials told the Wall Street Journal. And even though command centre computers were not directly linked to the web, the hackers nonetheless won access as a result of targeting smaller firms that supply the utilities with other services. 

 

Cyber warfare – a new generation of attack

 

“With the recent reports of Russian adversaries gaining access to electric utilities in the United States last spring, we could be seeing the leading edge of what most security practitioners have predicted for years – that the next attack on [the US] will be one of cyber, rather than kinetic, warfare,” cautioned Mr Helming, whose company helps security analysts turn threat data into ‘threat intelligence’, taking various indicators from a client’s network with the goal of stopping security threats before they happen.

 

However, the cybersecurity expert was keen to bring attention to certain “subtleties” in the Wall Street Journal’s  reporting: “It is far from certain that these attacks have resulted in the actual ability to achieve a destructive attack,” he said. “There may be hundreds of ‘victims’ but it's not clear that they breached hundreds of control centres; also, the screenshots that the attackers showed do not necessarily prove that they are able to seize actual control.”

 

Major disruption on the horizon?

 

Mr Helming maintained that it was not, in his opinion, farfetched to foresee adversaries causing a “major disruption” at some point since the frequency of breaches is on the rise. “But, again, while the attackers seem to have gained a worrisome level of access, it is not clear that they have the 'keys to the kingdom',” he countered. “If a utility attack were to succeed, the level of damage could be high because the electric grid is susceptible to cascading faults, where a localised disruption can rapidly spread. Adversaries could theoretically do a lot of damage,” he pointed out. 

 

“In other regions of the world, we have already seen attacks on hospitals, the electric grid, public transit, entire cities, and more. Recognising the gravity of the threat is not meant as a scare tactic – cybersecurity practitioners are already aware of all of the risk, and work very hard to minimise the attack surfaces of all critical infrastructure.”