Russian hackers indicted for targeting nuclear firm Westinghouse Electric
- The U.S. Department of Justice on Thursday issued an indictment of seven Russian military officers on hacking-related charges, including wire fraud, aggravated identity theft and money laundering.
- While most of the hacking focused on the Olympics and attempting to discredit international anti-doping organizations, the group also allegedly tried to steal the login credentials of Westinghouse Electric employees who were involved in advanced nuclear reactor development and new reactor technology.
- The indictment indicates a number of Westinghouse employees did click on links in spear-phishing emails, but the company said it does not believe hackers' attempts were successful. Westinghouse said it is cooperating with the Justice Department in an "ongoing investigation."
The federal indictment this week is a reminder that power sector companies face constant cyber threats and that their biggest vulnerabilities can often be their own employees.
The indictment issued this week by a grand jury in the Western District of Pennsylvania describes intricate steps hackers took in their attempts to infiltrate Westinghouse Electric systems, going so far as to register domain names and develop spoof websites to capture employee credentials.
For instance, the hackers registered "westinqhousenuclear.com," substituting a "q" for a "g."
"Spear-phishing messages were composed to resemble emails from trustworthy senders, such as email providers or colleagues, and requested the recipients to click on hyperlinks in the messages," the indictment said. "Such hyperlinks would direct recipients to spoofed websites which prompted the recipients to enter their login and password and enabled the capture of their credentials."
The hackers also sent spear-phishing emails to the personal email accounts of four Westinghouse Electric employees, and two of them clicked on the "malicious link which would have enabled the theft of the login credentials to their personal email accounts," according to the indictment.
Those employees were involved in advanced nuclear reactor development and new reactor technology, but the company said its system was not ultimately infiltrated.
"We have found no evidence that the phishing campaigns against employees to breach Westinghouse’s systems were successful," Sarah Cassella, a spokesperson for Westinghouse, told Utility Dive via email.
Westinghouse designs nuclear reactors for use in civilian power plants, and problems with its latest reactor design prompted the cancellation of the V.C. Summer project in South Carolina and large cost overruns and delays for the Vogtle plant under construction in Georgia.
Westinghouse declared bankruptcy in March due to struggles at the two plants.
The company said security is a top priority and it maintains "robust processes and procedures to protect against cybersecurity threats."
Those threats are becoming both more persistent and sophisticated, as shown in the indictment and recent warnings from the federal government.
In March, the Federal Bureau of Investigation and the Department of Homeland Security issued an alert warning that Russian hackers are involved in a methodical, long-term campaign to infiltrate critical infrastructure in the United States, including energy and nuclear. But it is unclear just how much success hackers have had, and cybersecurity experts must walk a fine line between overstating the immediate threat and warning of real consequences.
Over the summer, the Department of Homeland Security made headlines by claiming that hackers had infiltrated multiple utility control rooms, gaining the ability to "throw switches" on the grid and cause blackouts. The agency subsequently walked back that assertion, but said attempts to infiltrate are almost constant.
There have been successful intrusions abroad and there is a growing trend of hacking attempts focused on industrial control systems.
In 2015 a cyberattack in Ukraine knocked out power to almost a quarter million people, raising the profile of the threat faced by electric utilities. Since then, hackers also penetrated the safety systems of a petrochemical plant in Saudi Arabia, in part by taking advantage of an older device.
- Department of Justice Indictment
- Utility Dive How vulnerable is the grid to cyberattacks, really?
Follow Robert Walton on Twitter