On March 15, 2018, the Trump Administration took the unprecedented step of publicly blaming the Russian government for carrying out cyber attacks on American energy infrastructure. According to a joint Technical Alert issued by the Department of Homeland Security and the FBI, beginning at least as early as March 2016, Russian government cyber actors carried out a “multi-stage intrusion campaign” that sought to penetrate U.S. government entities and a wide range of U.S. critical infrastructure sectors, including “organizations in the energy, nuclear, commercial facilities, water, aviation and critical manufacturing sectors.”
The attacks involved the Russian government gaining remote access to energy sector networks and other intended targets via malware and spear phishing of “staging targets” that had preexisting relationships with the intended targets. Once the hackers gained access to their intended targets, they used that access to conduct network reconnaissance and collect information on Industrial Control Systems and Supervisory Control and Data Acquisition infrastructure, among other attacks. Although Russia’s motive was not clear, “cyber security experts and former U.S. officials say such behavior is generally espionage-oriented with the potential, if needed, for sabotage.” Indeed, the Russian government has also been linked to attacks on the Ukrainian energy grid in 2015-2016 that “caused temporary blackouts for hundreds of thousands of customers and were considered first-of-their-kind assaults.”
The Technical Alert includes recommended detection and prevention guidelines for network administrators to help defend against similar attacks in the future.