The Wolf Creek facility in Kansas was one of at least a dozen energy companies affected by the hacks, but officials say there’s no risk to public safety
The US Department of Energy (DOE) has acknowledged a campaign of attacks that targeted a number of energy companies, including at least one nuclear plant.
The government body said it was helping energy companies defend against the hackers, who it said had targeted administrative networks rather than the industrial control systems that control plants’ physical equipment.
“DOE is working with our government and industry partners to mitigate any impact from a cyber intrusion affecting entities in the energy sector,” the department said in a statement. “At this time, there has been no impact to systems controlling US energy infrastructure. Any potential impact appears to be limited to administrative and business networks.”
The department said it has supplied information about the incident to industry, providing technical details and ways of mitigating risks.
The US’ Federal Bureau of Investigation (FBI) and Department of Homeland Security (DHS) said in a joint statement there was “no indication of a threat to public safety” because the attacks have targeted only business systems and not control software.
Security experts have long warned that countries’ critical infrastructure is at risk from attacks that could affect industrial control systems in sectors such as energy.
The DOE’s comments followed reports by both Bloomberg and The New York Times citing unnamed US officials who said that at least a dozen US organisations were affected by the wave of attacks.
Those groups included the Wolf Creek nuclear facility in Kansas and a manufacturer of control systems for the energy sector, the reports said.
The DHS and FBI reportedly sent an alert on 28 June to companies warning of hacks targeting nuclear, power and critical infrastructure sectors.
They said it isn’t known who might be behind the attacks, describing the source only as an “advanced persistent threat”.
A separate technical DHS bulletin from 28 June included code used in a hacking tool that suggested hackers had tried to use a Wolf Creek employee’s password to access the company’s network.
The alert said hackers had been observed using booby-trapped emails to harvest credentials that could be used to access administrative networks.
The Wolf Creek plant told Reuters that the incident had had no affect on operations due to the control systems being “completely separate” from the corporate network.
Computer security firm FireEye said the same attackers appear to have targeted companies in Ireland and Turkey with targeted phishing attacks as far back as 2015, and conducted “watering hole” attacks aimed at infecting computers used by electrical engineers and control systems operators.
In December 2015 an attack on a Ukraine power company left parts of western Ukraine, including regional capital Ivano-Frankivsk, without power. Security experts later said that a sophisticated Trojan horse called Black Energy was used in the hack.
The Ukraine blamed the incident on Russia, but security firms have said that as yet no connection has been found between that attack and the more recent US campaign.
Do you know all about security in 2017? Try our quiz!