- At least five U.S. energy companies and 18 others spanning critical infrastructure sectors have experienced "abnormal scanning" from Russian-linked IP addresses, the Federal Bureau of Investigation said in a Friday bulletin first reported by CBS News March 22.
- The activity "likely indicates early stages of reconnaissance, scanning networks for vulnerabilities for use in potential future intrusions," according to the bulletin.
- "It is not surprising at all that Russia would activate its most effective war-fighting tools online," Dennis Hackney, senior director of industrial cybersecurity services development at ABS Group, said in a statement. He warned that "state-sponsored cyber attacks are difficult to definitively attribute."
Federal law enforcement is "working closely" with cyber personnel in the private sector and abroad to monitor potential threats, FBI Director Christopher Wray said Tuesday in a speech to the Detroit Economic Club.
"Today, with the ongoing conflict raging in Ukraine, we’re particularly focused on the destructive cyber threat posed by the Russian intel services, and cybercriminal groups they protect and support," Wray said. "We have cyber personnel working closely with the Ukrainians and our other allies abroad, and with the private sector and our partners here."
Wray's comments came four days after the FBI warned that critical infrastructure providers, and the energy sector in particular, faced a growing threat.
"US Energy Sector entities are advised to examine current network traffic for these IP addresses and conduct follow-on investigations if observed," the FBI bulletin said, according to CBS News.
But it isn't clear from the FBI bulletin if the "scanning" represents a new threat.
"Probably every large utility in the country is scanned thousands of times an hour 24 hours a day by all sorts of bad actors, so I'm not sure what this announcement is supposed to mean," independent security consultant Tom Alrich said in an email.
Experts say an attack on critical infrastructure could be construed as an act of war, potentially giving pause to a nation-state actor. But the most sophisticated attackers may be able to hide their origins, said Hackney.
"The greater the budget, the better the cybercriminals are at hiding who they are and how they are funded," he said. "State-sponsored threat actors can have extremely high budgets, so they are generally skilled at hiding their true affiliations. As a result, attribution is almost impossible."
President Joe Biden has previously warned Russia that if it "pursues cyberattacks against our companies, our critical infrastructure, we are prepared to respond." The federal government has been working for months to bolster the defense of 16 critical sectors, including energy, communications, financial services and agriculture. The President issued a statement Monday reiterating prior warnings that Russia might use malicious cyber activity to avenge economic sanctions imposed by the U.S. and other countries.
U.S. utilities have said they are "closely monitoring" the situation in Ukraine and are coordinating across the industry and with the federal government.
The Electricity Subsector Coordinating Council, which serves as a liaison between the federal government and the electric power industry, said briefings by the federal goverment are "the latest example of this partnership in action" and "reinforce the importance of continued industry vigilance given the ongoing war in Ukraine."
“Protecting our nation’s critical energy infrastructure is a responsibility shared by the energy industry and our government partners at all levels," ESCC said in a statement.
"Rather than fret over highly unlikely threats, I think it's better to fret over highly likely ones," Alrich said, pointing to the 2019 Worldwide Threat Assessment prepared for the U.S. Senate Select Committee on Intelligence.
"Russia has the ability to execute cyberattacks in the United States that generate localized, temporary disruptive effects on critical infrastructure — such as disrupting an electrical distribution network for at least a few hours," the report concluded.