Iranian hackers breached the control system of a dam near New York City in 2013, and are also implicated in some of a dozen attacks that have infiltrated the U.S. power grid system in the last decade, say two separate reports.
The reports by the Wall Street Journal and the Associated Press both raise concerns about the security of the country's aging infrastructure.
Two people familiar with the dam breach told the Wall Street Journal it occurred at the Bowman Avenue Dam in Rye, New York. The small structure about 20 miles from New York City is used for flood control.
The hackers gained access to the dam through a cellular modem, the Journal said, citing an unclassified Department of Homeland Security summary of the incident that did not specify the type of infrastructure.
The breach came as hackers linked to the Iranian government were attacking U.S. bank websites after American spies damaged an Iranian nuclear facility with the Stuxnet computer worm.
Homeland Security spokesman S.Y. Lee would not confirm the breach to Reuters. He said the department's 24-hour cybersecurity information-sharing hub and an emergency response team coordinate responses to threats to and vulnerabilities in critical infrastructure.
Meanwhile, about a dozen times in the last decade, sophisticated foreign hackers have gained enough remote access to control the operations networks that keep the lights on, according to top experts who spoke only on condition of anonymity due to the sensitive nature of the subject matter, the Associated Press found.
Security researcher Brian Wallace was on the trail of hackers who had snatched a California university's housing files when he stumbled into one example: Cyberattackers had opened a pathway into the networks running the United States power grid.
Digital clues pointed to Iranian hackers. And Wallace found that they had already taken passwords, as well as engineering drawings of dozens of power plants, at least one with the title "Mission Critical."
The drawings were so detailed that experts say skilled attackers could have used them, along with other tools and malicious code, to knock out electricity flowing to millions of homes.
The attack targeted Calpine Corp., a power producer with 82 plants operating in 18 states and Canada — it has one plant in Courtright, Ont. The hacking software appeared to originate in Iran, but the hacking group included members in the Netherlands, Canada, and the United Kingdom.
Wallace was astonished. But this breach, The Associated Press has found, was not unique.
Capability to strike at will
These intrusions have not caused the kind of cascading blackouts that are feared by the intelligence community. But so many attackers have stowed away in the systems that run the U.S. electric grid that experts say they likely have the capability to strike at will.
The hackers have gained access to an aging, outdated power system. Many of the substations and equipment that move power across the U.S. are decrepit and were never built with network security in mind; hooking the plants up to the Internet over the last decade has given hackers new backdoors in.
Distant wind farms, home solar panels, smart meters and other networked devices must be remotely monitored and controlled, which opens up the broader system to fresh points of attack. Hundreds of contractors sell software and equipment to energy companies, and attackers have successfully used those outside companies as a way to get inside networks tied to the grid.
Attributing attacks is notoriously tricky. Neither U.S. officials nor cybersecurity experts would or could say if the Islamic Republic of Iran was involved in the attack Wallace discovered involving Calpine Corp. Private firms have alleged other recent hacks of networks and machinery tied to the U.S. power grid were carried out by teams from within Russia and China, some with governmental support.
Even the Islamic State group is trying to hack American power companies, a top Homeland Security official told industry executives in October. The attack involving Calpine is particularly disturbing because the cyberspies grabbed so much, according to interviews and previously unreported documents.
Calpine breach could be ongoing
Cybersecurity experts say the breach began at least as far back as August 2013, and could still be going on today. Calpine spokesman Brett Kerr said the company's information was stolen from a contractor that does business with Calpine. He said the stolen diagrams and passwords were old — some diagrams dated to 2002 — and presented no threat, though some outside experts disagree.
Kerr would not say whether the configuration of the power plants' operations networks — also valuable information — remained the same as when the intrusion occurred, or whether it was possible the attackers still had a foothold.
According to the AP investigation, the hackers got:
- User names and passwords that could be used to connect remotely to Calpine's networks, which were being maintained by a data security company. Even if some of the information was outdated, experts say skilled hackers could have found a way to update the passwords and slip past firewalls to get into the operations network. Eventually, they say, the intruders could shut down generating stations, foul communications networks and possibly cause a blackout near the plants.
- Detailed engineering drawings of networks and power stations from New York to California — 71 in all — showing the precise location of devices that communicate with gas turbines, boilers and other crucial equipment attackers would need to hack specific plants.
- Additional diagrams showing how those local plants transmit information back to the company's virtual cloud, knowledge attackers could use to mask their activity. For example, one map shows how information flows from the Agnews power plant in San Jose, California, near the San Francisco 49ers football stadium, to the company headquarters in Houston.
Wallace first came across the breach while tracking a new strain of noxious software that had been used to steal student housing files at the University of California, Santa Barbara.
"I saw a mention in our logs that the attackers stored their malware in some FTP servers online," said Wallace, who had recently joined the Irvine, Calif.-based cybersecurity firm Cylance, Inc., fresh out of college. "It wasn't even my job to look into it, but I just thought there had to be something more there."
19,000 stolen files
Wallace started digging. Soon, he found the FTP servers, typically used to transfer large numbers of files back and forth across the Internet, and the hackers' ill-gotten data — a tranche of more than 19,000 stolen files from thousands of computers across the world, including key documents from Calpine.
Before Wallace could dive into the files, his first priority was to track where the hackers would strike next — and try to stop them.
Months later, Wallace got the alert: From Internet Protocol addresses in Tehran, the hackers had deployed TinyZbot, a Trojan horse-style of software that the attackers used to gain backdoor access to their targets, log their keystrokes and take screen shots of their information. The hacking group, he would find, included members in the Netherlands, Canada, and the United Kingdom. Wallace discovered a folder containing dozens of engineers' diagrams of the Calpine power plants.
According to multiple sources, the drawings contained user names and passwords that an intruder would need to break through a firewall separating Calpine's communications and operations networks, then move around in the network where the turbines are controlled. The schematics also displayed the locations of devices inside the plants' process control networks that receive information from power-generating equipment. With those details, experts say skilled hackers could have penetrated the operations network and eventually shut down generating stations, possibly causing a blackout.
Cylance researchers said the intruders stored their stolen goods on seven unencrypted FTP servers requiring no authentication to access details about Calpine's plants. Jumbled in the folders was code that could be used to spread malware to other companies without being traced back to the attackers' computers, as well as handcrafted software designed to mask that the Internet Protocol addresses they were using were in Iran.
Iran thought to be source of attacks
Circumstantial evidence such as snippets of Persian comments in the code helped investigators conclude that Iran was the source of the attacks.
Calpine didn't know its information had been compromised until it was informed by Cylance, Kerr said.
Iranian U.N. Mission spokesman Hamid Babaei did not return calls or address questions emailed by AP.
Cylance notified the FBI, which warned the U.S. energy sector in an unclassified bulletin last December that a group using Iran-based IP addresses had targeted the industry.
Whether there was any connection between the Iranian government and the individual hackers who Wallace traced — with the usernames parviz, Alireza, Kaj, Salman Ghazikhani and Bahman Mohebbi — is unclear.
Last year, Homeland Security released several maps that showed a virtual hit list of critical infrastructure, including two substations in the San Francisco Bay area, water and gas pipelines and a refinery. And according to a previously reported study by the Federal Energy Regulatory Commission, a coordinated attack on just nine critical power stations could cause a coast-to-coast blackout that could last months, far longer than the one that plunged the Northeast into darkness in 2003.
"The grid is a tough target, but a lucrative target," said Keith Alexander, the former director of the National Security Agency who now runs a cybersecurity firm. The number of sophisticated attacks is growing, he said. "There is a constant, steady upbeat. I see a rising tide."