Utilities Targeted in Cyberattacks Identified

An article from the Wall Street Journal
November 24, 2019

Hackers homed in on smaller electricity providers in proximity to critical infrastructure; FBI investigating

By Rebecca Smith and Rob Barry

More than a dozen U.S. utilities that were targets in a recent wave of cyberattacks have been identified by The Wall Street Journal. Some of the utilities, most of which are relatively small, are located near dams, locks and other critical infrastructure.

These electricity providers were singled out in a hacking campaign that was brought to light in August by researchers at a Silicon Valley cybersecurity company. But little was known about the attacks until now.

One of the electric utilities targeted in the ‘Lookback’ cyberattacks is near the Sault Ste. Marie Locks, above, a critical juncture for the transport of iron ore to U.S. steel mills. PHOTO: UNIVERSAL IMAGES GROUP/GETTY IMAGES

The Federal Bureau of Investigation is probing the attacks and has contacted some, but not all, of the utilities, according to some of the utilities. It is possible that the hacking campaign is ongoing, according to security researchers.

Utilities said the FBI provided information that helped them scan their computer networks to see if firewalls—their first-line defenses—had been probed and whether malware-laced emails had been sent to their employees. The FBI declined to comment.

The targeted utilities, which operate in 18 states from Maine to Washington, include Cloverland Electric Cooperative in Michigan, which sits next to the Sault Ste. Marie Locks, a critical juncture for the transport of iron ore to U.S. steel mills; Klickitat Public Utility District in Washington state, which is near major federal dams and transmission lines that funnel hydroelectricity to California; and Basin Electric Power Cooperative in North Dakota, one of the few utilities that is capable of delivering electricity to both the nation’s eastern and western grids.

The hackers attempted to get malware installed on utility computers through “phishing” emails that trick recipients into opening them. The embedded malware, which in this case has been dubbed “Lookback,” could give attackers the ability to take control of victims’ computers and steal information.

The attackers left identifying information on targets briefly exposed on a server in Hong Kong, security researchers said, a portion of which the Journal was able to review. Of the 11 utilities named in this way by the Journal, none said that they had been breached but roughly half said that the FBI had warned them that they may have been targets. Some utilities said they didn’t detect any suspicious emails.

Some utilities targeted in the cyberattacks are located near vital infrastructure. PHOTO: NATALIE BEHRING/GETTY IMAGES

At least two other utilities not on the list were also likely targeted in the attacks, according to people familiar with the matter, which have taken place throughout 2019. The names of other presumed targets couldn’t be determined.

The U.S. government has warned repeatedly that the nation’s electricity grid is an attractive target for overseas hackers. The U.S. blamed a hacking campaign in 2017—the subject of a Page One article in the Journal in January—on the Russian government. National-security officials have said that Russia and China have the ability to temporarily disrupt the operations of electric utilities and gas pipelines.

This year’s hacking campaign illustrates the extent of the threat: Even smaller utilities, which often lack big budgets for security measures, are vulnerable, even though experts once believed their low profile afforded them some protection.

Executives of Wisconsin Rapids Water Works and Lighting Commission said an FBI agent reached out to them in early October and suggested attackers could have been targeting the utility’s networks at the beginning of the year.

“It turned out the reason they were contacting us was because we had been probed in January and again in March” by someone testing the utility’s firewalls from a network located in Hong Kong, said Matt Stormoen, the utility’s information-systems administrator.

The utility now blocks emails from Hong Kong. “We never got compromised and never saw the phishing emails,” Mr. Stormoen said.

Researchers at Proofpoint Inc., the cybersecurity firm that early on publicized the Lookback attacks, identified at least two active attack periods in July and August, when hackers sent emails designed to entice the targets to open them up. One email distributed in July, for example, falsely purported it contained licensing examination information from the U.S. National Council of Examiners for Engineering and Surveying.

David Cox, chief executive of the examination body, said the fraudulent emails “were like nothing we send out” but might still have tricked people because they used the group’s logo.

Another examination-themed email that circulated in August was falsely presented as coming from an outfit called Global Energy Certification, which didn’t respond to a request for comment.

The targeted utilities, which operate in 18 states from Maine to Washington, include Cloverland Electric Cooperative in Michigan, which sits next to the Sault Ste. Marie Locks, a critical juncture for the transport of iron ore to U.S. steel mills; Klickitat Public Utility District in Washington state, which is near major federal dams and transmission lines that funnel hydroelectricity to California; and Basin Electric Power Cooperative in North Dakota, one of the few utilities that is capable of delivering electricity to both the nation’s eastern and western grids.

The hackers attempted to get malware installed on utility computers through “phishing” emails that trick recipients into opening them. The embedded malware, which in this case has been dubbed “Lookback,” could give attackers the ability to take control of victims’ computers and steal information.

The attackers left identifying information on targets briefly exposed on a server in Hong Kong, security researchers said, a portion of which the Journal was able to review. Of the 11 utilities named in this way by the Journal, none said that they had been breached but roughly half said that the FBI had warned them that they may have been targets. Some utilities said they didn’t detect any suspicious emails.

Some utilities targeted in the cyberattacks are located near vital infrastructure. PHOTO: NATALIE BEHRING/GETTY IMAGES

At least two other utilities not on the list were also likely targeted in the attacks, according to people familiar with the matter, which have taken place throughout 2019. The names of other presumed targets couldn’t be determined.

The U.S. government has warned repeatedly that the nation’s electricity grid is an attractive target for overseas hackers. The U.S. blamed a hacking campaign in 2017—the subject of a Page One article in the Journal in January—on the Russian government. National-security officials have said that Russia and China have the ability to temporarily disrupt the operations of electric utilities and gas pipelines.

This year’s hacking campaign illustrates the extent of the threat: Even smaller utilities, which often lack big budgets for security measures, are vulnerable, even though experts once believed their low profile afforded them some protection.

Executives of Wisconsin Rapids Water Works and Lighting Commission said an FBI agent reached out to them in early October and suggested attackers could have been targeting the utility’s networks at the beginning of the year.

“It turned out the reason they were contacting us was because we had been probed in January and again in March” by someone testing the utility’s firewalls from a network located in Hong Kong, said Matt Stormoen, the utility’s information-systems administrator.

The utility now blocks emails from Hong Kong. “We never got compromised and never saw the phishing emails,” Mr. Stormoen said.

Researchers at Proofpoint Inc., the cybersecurity firm that early on publicized the Lookback attacks, identified at least two active attack periods in July and August, when hackers sent emails designed to entice the targets to open them up. One email distributed in July, for example, falsely purported it contained licensing examination information from the U.S. National Council of Examiners for Engineering and Surveying.

David Cox, chief executive of the examination body, said the fraudulent emails “were like nothing we send out” but might still have tricked people because they used the group’s logo.

Another examination-themed email that circulated in August was falsely presented as coming from an outfit called Global Energy Certification, which didn’t respond to a request for comment.

Any opening of the emails would likely have unleashed—without users knowing—malicious code potentially giving attackers covert control over their computers. Only a few people at any individual utility were targeted, Proofpoint said, suggesting hackers studied their victims carefully.

Proofpoint researchers say that the attackers used similar tools as Chinese hackers and that Iran has been active in the utilities sector, but the identities of the perpetrators remain shrouded in mystery.

It couldn’t be determined whether the hackers infiltrated utility operations, whose defenses are typically stronger than those of utilities’ business networks and purposely separated from the internet.

Ted Cash, general manager of ALP Utilities, a city-owned utility in Alexandria, Minn., said his information-technology employees “found a quarantined email in a restricted account” after they were contacted by the FBI, and his IT staff downloaded the quarantined email onto a disk and sent it to the FBI for analysis.

Gary Huhta, general manager of Cowlitz County Public Utility District in Washington state, said his staff didn’t know anything about Lookback until the FBI informed them they may have been hit in July. Subsequent analysis, he said, determined no malicious emails had entered the utility’s network.

Some utility executives told the Journal that the Lookback campaign was unfamiliar and that they had not received any FBI warning.

“It doesn’t ring a bell with me,” said Mike Parrish, director of IT security at Flathead Electric Cooperative in Kalispell, Mont., whose utility was among those listed on the Hong Kong server.

Brian Matthews, chief information officer for Basin Electric Power, declined to “offer specifics about what has gone on.” The North Dakota utility provides wholesale electricity to 141 electric cooperatives in nine states.

Some utility managers said they weren’t particularly worried about Lookback because they face a daily barrage of malicious emails. “Malware is inside 60% of the email our server receives,” said Chuck Zane, IT director for Cloverland. “The odds of those emails making it to a desktop are slim.”

He added that, although his utility might appear to be critical to operations at the Sault Ste. Marie locks, the locks have their own sources of electricity.

Likewise, Jim Smith, the general manager of Klickitat PUD said that even though the John Day Dam on the Columbia River is near its offices in Goldendale, Wash., it has no control over the power house or the transmission lines onto which electricity is fed. “But if they are thinking in terms of geographic proximity, then we might seem like a worthwhile target,” he said.