Beginning in March 2016, and possibly earlier, Russian government hackers set out to gain access to America’s infrastructure, from energy facilities, including nuclear energy, to water, aviation and manufacturing, according to a U.S. security alert published Thursday.
The Department of Homeland Security and FBI described in the alert a “multi-stage intrusion campaign by Russian government cyber actors” targeting specifically small commercial facilities. The alert did not name facilities or companies targeted.
The Department of Homeland Security said it appeared to be an attempt by the Russian government to gather information, possibly for a later campaign against the United States.
The Department of Homeland Security cited a recent report by computer-security firm Symantec describing the attacks as “cyber espionage” and suggesting they could be a precursor to future attempts at sabotaging the American energy infrastructure.
The Public Utility Commission said there is no evidence that Vermont utilities were targeted or affected by the attacks, said John Cotter, the commission’s deputy general counsel.
If a Vermont utility had been affected, the PUC likely would know because such an attack would have the potential to affect quality of service, Cotter said. Utilities must report to the PUC any occurrence that could affect the quality of their service.
The secretary of Vermont’s Agency of Digital Services and the state’s chief information officer, John Quinn III, said the agency also had no evidence that Vermont utilities or businesses were targeted.
A request to speak with a representative from the United States Computer Emergency Readiness Team — the Homeland Security group that released last week’s Russian hacking alert — went unanswered.
A Symantec representative said by email that no one from the company was immediately available to speak about the report.
The Symantec report pointed to widespread power outages in Ukraine in December 2016, which were attributed to the Russian government, as an example of a growing pattern of attacks against energy providers, conducted over the internet.
Vermont is currently without a chief information security officer. The position was held by Glenn Schoonover, who left the agency in early February. Quinn said in an email that plans are in the works to replace Schoonover.
Vermont utilities, including state’s largest electric utility, Green Mountain Power and the Vermont Electric Co-op, said they’d experienced nothing along the lines of what was described in last week’s Homeland Security alert.
Burlington Electric Department’s customer care and communications manager, Mike Kanarick, also reported nothing amiss. The city’s electric department experienced a Russian cyber sabotage scare of its own in early 2017, a public relations nightmare for the utility that turned out to have no basis in fact.
Hydro-Quebec, the state-owned Quebec energy firm that is the primary provider of electric power to Vermont, also was unaffected by the hacking campaign, said Lynn St. Laurent, Hydro-Quebec’s strategic communications adviser.
The company that transmits electricity for Vermont’s utilities, the Vermont Electric Power Co. (VELCO), has been aware of issues with Russian hackers, said VELCO’s communications and policy advocate, Shana Louiselle.
“Since then we’ve taken appropriate actions to identify and resolve any vulnerabilities,” Louiselle said.
“It’s our top priority to safeguard not only the reliability, but the security of Vermont’s electrical transmission system,” she said. VELCO has in place a robust system to ensure that security, Louiselle said.
“These cyberthreats are real, and they require constant vigilance to protect the reliability of the grid,” Louiselle said.
The alert said that hackers had;
“Targeted small commercial facilities’ networks where they staged malware, conducted spear phishing, and gained remote access into energy sector networks. . . After obtaining access, the Russian government cyber actors conducted network reconnaissance, moved laterally, and collected information pertaining to Industrial Control Systems.”
The attacks were not limited to the energy infrastructure, the alert said. Also affected were “multiple organizations in the energy, nuclear, water, aviation, construction, and critical manufacturing sectors.”