North Korean Hackers Targeted U.S. Electric Firms: Report

This post was originally published on this site

Hackers likely affiliated with the North Korean government seem to lack the ability to disrupt the U.S. power supply, according to a new report from FireEye.

The state-sponsored actors conducted a reconnaissance attack against electric companies in the United States on Sept. 22, 2017, via spear-phishing emails, but the incident did not lead to a disruption, the security company reports.

In fact, no evidence was found that North Korea-linked actors would even have the capability to compromise or manipulate the industrial control systems (ICS) networks that regulate the supply of power.

Attacks targeting the energy sector aren’t new, and FireEye says it has detected “more than 20 cyber threat groups suspected to be sponsored by at least four other nation-states attempting to gain access to targets in the energy sector that could have been used to cause disruptions.”

Given the current tensions with North Korea, the attacks should come at no surprise.

Utility executives worldwide fear that cyber-attacks could cause disruptions to electric distribution grids. To improve the resilience and security of critical energy infrastructure, the United States Department of Energy announced last month plans to invest over $20 million in cyber security.

Last month, Symantec warned of Russian hackers hitting the energy sector in the United States and other countries with a focus on gaining access to control systems. Iranian-backed cyber espionage actors were observed targeting energy organizations too, and so were Chinese hackers last year.

While North Korea-linked hackers were accused of targeting South’s nuclear power plants operated by Korea Hydro and Nuclear Power (KHNP), the attack apparently focused on stealing sensitive KHNP documents, “as part of an effort to exaggerate the access they had and embarrass the South Korean Government,” FireEye says.

The technique is apparently used by the North Korean government either to instill fear or to meet domestic propaganda purposes. Cyber actors linked to the country, however, don’t appear to possess the ability to take the technical and operational steps required in attacks aimed at disrupting energy sector operations.

The spear-phishing activity observed last month “was early-stage reconnaissance, and not necessarily indicative of an imminent, disruptive cyber-attack that might take months to prepare if it went undetected (judging from past experiences with other cyber threat groups),” the security researchers point out.

The suspected North Korean actions are supposedly part of an attempt to demonstrate a deterrent capability rather than the first stages of a larger attack. “For North Korea, even limited compromise of power companies would probably be exaggerated and hailed as a victory by Pyongyang,” FireEye says.

On the other hand, an increasing number of nation-states are developing the capability to disable the operations of power utilities. Moreover, because North Korea-linked actors are bold, they likely remain committed to targeting the energy sector, especially in South Korea and among the U.S. and its allies, the researchers believe.

These actors have already been associated with various cyber-attacks this year, including one targeting South’s wartime operational plans, and several hitting crypto-currency exchanges, possibly in an attempt to bolster finances. Hackers with ties to North Korea were also deemed a serious threat to banks earlier this year.

“North Korea linked hackers are among the most prolific nation-state threats, targeting not only the U.S. and South Korea but the global financial system and nations worldwide. Their motivations vary from economic enrichment to traditional espionage to sabotage, but all share the hallmark of an ascendant cyber power willing to violate international norms with little regard for potential blowback,” FireEye concludes.

“It doesn’t seem like a phishing attack deserves too much attention these days – especially one that was unsuccessful in penetrating target networks,” Eddie Habibi, CEO of PAS Global, told SecurityWeek. “The fact that it was North Korea isn’t a big surprise nor that power was in the crosshairs. What is worth noting is that as tensions continue to rise with North Korea, we should expect the intensity of cyber attacks aimed at U.S. critical infrastructure to rise as well.”

Related: North Korea Hacked Seoul’s War Plans: Report

Related: North Korea Gets Second Web Connection Via Russian Firm

Related: U.S. Cyber Command Launched DDoS Attack Against North Korea: Report

view counter

Ionut Arghire is an international correspondent for SecurityWeek.

Previous Columns by Ionut Arghire:

Tags: