The Hackers' Playbook

Power grid breaches offer critical lessons for cyber defenders

This animation shows how cyber attackers use small companies like vendors and suppliers to infiltrate the computer networks of large targets such as power plants.

Russian hackers are so deep into the control systems of hundreds of U.S. utilities, "they could have thrown switches," a Department of Homeland Security official has warned the Wall Street Journal in an alarming new report.

It's been long known that criminals had slithered into computer networks across the energy industry, infiltrating some so deeply that experts believed they had the power to throw entire regions into darkness. But a July 23 briefing was the first time outside a classified setting that U.S. government officials had offered so much detail, or warned that hundreds, rather than dozens, of U.S. electric utilities are affected. Some of those utilities may not yet know their systems have been so badly compromised, DHS officials said.

The warning bells have been ringing for years. The latest breaches were blamed on group of Russian hackers known as Dragonfly, or Energetic Bear, also named as perpetrators of a serious breach first reported by the cybersecurity company Symantec in September 2017. That incident revealed much about the way these attacks work. So much, in fact, that the U.S. government turned it into a cautionary tale. In a comprehensive report, a team of cyber specialists from the Department of Homeland Security and Federal Bureau of Investigation dissected the 2017 incident and the hackers’ tradecraft, hoping the information can help defend against similar attacks.

Experts say hackers are constantly finding ways to infiltrate, corrupt and weaponize whatever touches the internet – often bit by bit. Dragonfly's methods have been consistent, leaning largely on breaking into the more vulnerable networks of small companies that supply or have trusted relationships with utilities, then using that perch to reach into the systems of the larger players.

"When a staging target, potentially a partner company or a supplier is compromised, we need to understand that it might not be just about that target," said Mark Orlando, chief technology officer for cyber services at Raytheon. "We need to understand that the ecosystem is at risk through that compromise."

It's important to get the word out when breaches are discovered, according to Orlando.

“These details, if taken by themselves, might not seem that impactful," he said. "When presented with the entire story, we can see (a breach is) part of a larger, sustained campaign, potentially causing a lot of damage.”

That damage could be far-reaching, said Constance Douris, who studies cybersecurity for the Lexington Institute, a Washington, D.C. think tank that focuses on defense. She said hacking the power grid is essentially a newer way of attacking a traditional military target.

"Everyone understands cyber is important, but they don't quite understand why it needs to be protected," she said. "Hospitals, banks, pipelines, military bases – all of these cannot operate without electricity. Protecting the grid from cyberattacks should not be neglected by any means."

Here’s how the cyber experts broke down such hacks – and how businesses can protect themselves.


One of the attackers' main strategies is to divide targets into two groups: intended targets, or the energy companies themselves; and staging targets – ancillary organizations like vendors, suppliers, even trade journals and industry websites.

Rather than going straight after the larger and better-protected big targets, the hackers instead worm their way into the smaller, less secure companies' networks, then use that access to gather intelligence and set traps.

Smaller companies are often a hacker's first stop on the way to a bigger target, Orlando said. He recommends monitoring computer networks for unusual activity, installing security patches regularly and developing a response plan to disclose breaches and limit damage.

“Really it just comes down to managing your systems and being as vigilant as you can,” he said.

Computer screens
Businesses should monitor their computer networks for signs of unusual activity – a common early indicator of a cyberattack.


Like the bank robbers of old, hackers start by researching their targets. That includes scouring the Internet to see how an organization works, identify its business partners and look for weak spots.

It's simple but effective, according to Orlando.

“Often, that gives you much richer information than technical activity,” he said. “That’s far more efficient than trying to scan a network or doing the other things that might tip a network off that they’re being targeted.”

In the 2017 power company hack, for example, the attackers looked on one company’s human resources site and found a photo that seemed harmless, but in reality contained extraordinarily valuable information: the manufacturer and model of a certain piece of control-systems equipment.

That, in turn, provided insight on how the plant runs. It also gave the attackers another potential staging target, and it helped them with another phase of the attack – "spearphishing," or the use of customized, highly deceptive emails designed to deliver malware.

The best defense, Orlando said, is for companies to be judicious about the level of detail they put out there – “a certain level of vagueness,” as he put it, “especially when you’re talking about certain parts of your infrastructure.”


Just like spies learn the customs and habits of the people they’re watching, hackers study their targets and find a way to use that information to their advantage.

In their report, the government said the attackers went after their big targets with several types of emails – resumés, curricula vitae, policy documents – and in each, they made reference to control systems. In other words, they were using the intel they collected from their surveillance to create a plausible, well-informed email likely to fool someone into opening the malware-laced attachment.

One of the ruses: An invitation to a New Year’s Eve party.

“Nothing is off the table,” Orlando said. “It doesn’t have to be related to a business, or a partner. There’s no specific look or feel or subjects of focus. Attackers can and do change them up to find something that’s successful.”


Spearphishing works – it’s one of the oldest tricks hackers have – but it’s far from the only way to get malware onto a machine. Another common method, called a watering-hole attack, plants malicious code in a place the targets trust, then waits for them to come pick it up.

In attacks on the energy sector, the hackers used many of their staging targets to develop watering holes. About half were trade publications and informational websites that dealt with matters specific to the energy industry. The hackers corrupted those sites behind the scenes and "altered them to contain and reference malicious content," the government wrote, meaning those sites were serving up malware but giving the targets no reason to suspect anything was amiss.

“It’s a low-complexity, low-effort, high-yield attack,” Orlando said. “It allows you to cast a wide net. With relatively little effort, you can target lots and lots of users.”

The best defense, he said, is for a company to monitor its own networks for signs that a user may have unwittingly stumbled into a watering-hole attack.


Much attacking malware is designed to capture user credentials, or the digital identity of someone authorized to use a target network. With credentials, hackers no longer have to lie, fool or finagle their way to paydirt. They can simply find it and take it.

“If I’m able to harvest credentials from a supplier and gain access to my primary target, I don’t even have to use any kind of attack,” Orlando said. “If I can come into your environment using authorized credentials, detecting that just became exponentially more difficult.”

Credential harvesting includes usernames and passwords – usually stolen through tricking someone at a false login page for a familiar site – but it also includes less familiar digital loot such as hashes, or the “secret handshakes” that networks perform whenever one attempts a transaction with another.

Here's how hackers steal hashes: their spearphishing emails contain documents that order the target's computer to retrieve data from a server – one the hackers either own themselves, or commandeer. Once the hackers have the target’s hash, they can apply techniques to reveal the password in plain text. With that password, unless the network requires multiple modes of authentication to sign on, such as a thumbprint or a code from a security token, the attackers are in.

That's one way to steal login information. Another method: To imitate the login page itself.

In a separate phishing campaign that focused on staging targets, the attackers planted a link that redirected users several times, ultimately landing on a page whose "username" and "password" fields fed credentials straight to them.


At least one element of the spearphishing campaign in the earlier breach showed these hackers were innovating as well.

Rather than emailing attachments infected with malware, they did something likely to catch savvier targets off-guard. They sent a harmless document, but they made sure it didn't download properly. Then they programmed in a prompt for users to click if they were having trouble.

And that's where the malware lived.

“Attackers are getting savvier,” Orlando said. “It’s just evidence that these kinds of social engineering attacks have gotten a little more clever and a lot less obvious that there’s anything malicious going on.”

There are two main lessons from the power-grid hack, Orlando said. First, he said, businesses should know that small hacking attempts like suspicious emails are often part of a larger campaign. Also, he said, they should understand that truly cyber-secure businesses look beyond their own networks.

“Your network isn’t just your network. It’s your network, plus your trusted partners, plus your suppliers,” he said. “If you’re not mitigating risk across the entire ecosystem, you’re potentially missing a very large exposure to your business.”

Last Updated: 11/12/2018