Last August, security provider Proofpoint said that three small U.S. utilities had been hit with spear phishing attacks a month earlier using the LookBack malware. The malicious emails appeared to impersonate a U.S.-based engineering licensing board, originating from what appeared to be a state sponsored, threat actor-controlled domain. Subsequent Proofpoint research indicated that the hackers had targeted at least 17 utilities from from April to August, based on new phishing emails its researchers uncovered. Some signs, albeit inconclusive, pointed to Hong Kong actors as the culprits. Proofpoint said the cyber attackers used similar tools as Chinese state sponsored hacking crew APT10.
More recently, the Wall Street Journal has identified by name at least a dozen of the facilities that were hit, a few of which are located near dams, locks and other critical infrastructure facilities and operate in 18 states. Some of the location-sensitive facilities include Michigan-based Cloverland Electric Cooperative; Klickitat Public Utility District in Goldendale, Washington; and, Basin Electric Power Cooperative in North Dakota.
According to the WSJ, Cloverland is located next to the Sault Ste. Marie Locks, a jumping off point for transporting iron ore to U.S. steel mills; Klickitat sits near federal dams and transmission lines that provide hydroelectricity to California; and, Basin delivers electricity to U.S. energy grids in the East and West coasts.
Eleven of the utilities said that they had been breached, the WSJ’s report said. About half said that the Federal Bureau of Investigation, which is on the case, has warned them that they may have been targets. While some utilities said they didn’t detect any suspicious emails, others not on the hit list nonetheless may have targeted, the WSJ’s sources reportedly said.
At this point, the FBI has contacted most of the utilities and instructed them to scan their firewalls for signs of a breach, the report said. Wisconsin Rapids Water Works and Lighting Commission told the WSJ that they had been probed in January and March by someone testing the utility’s firewalls from a network located in Hong Kong. “We never got compromised and never saw the phishing emails,” Matt Stormoen, the utility’s information systems administrator, told the media outlet. Other targeted facilities include ALP Utilities, in Alexandria, Minnesota; Cowlitz County Public Utility District in Longview, Washington; and, Flathead Electric Cooperative in Kalispell, Montana, the report said.
The Department of Homeland Security (DHS) and the FBI have posted a number of warnings to critical infrastructure operators that foreign hackers are intent upon hitting the nation’s electricity grid. In March 2018, DHS and the FBI put out an alert warning of a campaign by Russian government cyber actors that targeted small commercial facilities’ networks with spear phishing attacks.