The Trump administration on Thursday accused Russian government hackers of carrying out a deliberate, ongoing operation to penetrate vital U.S. industries, including the energy grid — a major ratcheting up of tensions between the two countries over cybersecurity.
It says the hackers penetrated the targeted companies to a surprising degree, including copying information that could be used to gain access to the computer systems that control power plants.
"Since at least March 2016, Russian government cyber actors ... targeted government entities and multiple U.S. critical infrastructure sectors, including the energy, nuclear, commercial facilities, water, aviation, and critical manufacturing sectors," according to a joint alert issued by the Homeland Security Department and the FBI.
The alert comes on the same day the Trump administration issued new sanctions against Russia for a range of activities, including its actions in cyberspace. Taken together, the steps amount to perhaps the most direct confrontation of Russian hackers by the U.S. government yet.
Russia has been widely accused of launching increasingly dangerous attacks on power grids around the world. Moscow’s most frequent target has been Ukraine, according to researchers. In recent years, Ukraine has twice blamed its neighbor for shutting down portions of its power grid using digital weapons that hackers had not previously successfully deployed on that scale.
The alert says Russian hackers attempted to access the grid and other industries primarily to spy and collect information. Their weapons included malware-laden Word documents — such as engineers' resumes — that appeared in legitimate-seeming emails, but which harvested login and password information from victims' computers.
The hackers used these exploits to target vendors and other companies on the periphery of their main targets, then leapfrog their way to gain access to higher-level networks and install malware.
Once inside, the hackers would move around and conduct reconnaissance, and appeared interested in industrial control systems that manage processes for critical infrastructure, the alert reads.
"The threat actors appear to have deliberately chosen the organizations they targeted, rather than pursuing them as targets of opportunity," the alert says.
It says the hackers also used other means to find their way in. In one case, they "downloaded a small photo from a publicly accessible human resources page. The image, when expanded, was a high-resolution photo that displayed control systems equipment models and status information in the background."
They also implanted malware in the websites of trade publications and other websites related to the targeted industries, the alert says.