Windstorm Causes Significant Power Outages

Western Grid Integration aligns CAISO with a regional transmission operator under FERC oversight, boosting renewables, reliability, and cost savings while respecting state energy policy, emissions goals, and utility regulation across the West.

Key Points

Western Grid Integration lets CAISO operate under FERC to cut costs, boost reliability, and accelerate renewables.

✅ Lowers wholesale costs via wider dispatch and resource sharing

✅ Improves reliability with regional balancing and reserves

✅ Preserves state policy authority under FERC oversight

A strong and timely endorsement for western grid integration forcefully rebuts claims that moving from a balkanized system with 38 separate entities to a regional operation could introduce environmental problems, raise costs, or, as critics warn, export California’s energy policies to other western states, or open state energy and climate policies to challenge by federal regulators. In fact, Yale University’s Environmental Protection Clinic identifies numerous economic and environmental benefits from allowing the California Independent System Operator to become a regional grid operator.

The groundbreaking report comprehensively examines the policy and legal merits of allowing the California Independent System Operator (CAISO) to become a regional grid operator, open to any western utility or generator that wants to join, as similar market structure overhauls proceed in New England.

The Yale report identifies the increasing constraints that today’s fragmented western grid imposes on system-wide electricity costs and reliability, addresses the potential benefits of integration, and evaluates  potential legal risks for the states involved. California receives particular attention because its legislature is considering the first step in the grid integration process, which involves authorizing the CAISO to create a fully independent board, even as it examines revamping electricity rates to clean the grid (other western states are unlikely to approve joining an entity whose governance is determined solely by California’s governor and legislature, as is the case now).

Elements of the report

The analysis examined all of California’s key energy and climate policies, from its cap on carbon emissions to its renewable energy goals and its pollution standards for power plants, and concludes that none would face additional legal risks under a fully integrated western grid. The operator of such a grid would be regulated by an independent federal agency (the Federal Energy Regulatory Commission)—but so is the CAISO itself, now and since its inception, by virtue of its extended involvement in interstate electricity commerce throughout the West. 

And if empowered to serve the entire region, the CAISO would not interfere with the longstanding rights of California and other states to regulate their utilities’ investments or set energy and climate policies. The study points out that grid operators don’t set energy policies for the states they serve; they help those states minimize costs, enhance reliability in the wake of California blackouts across the state, and avoid unnecessary pollution.

And as to whether an integrated grid would help renewable energy or fossil fuels, the report finds that renewable resources would be the inevitable winners, thanks to their lower operating costs, although the most important winners would be western utility customers, through lower bills, expanded retail choice options, and improved reliability.

Call to action

The Yale report concludes with what amounts to a call to action for California’s legislators:

“In sum, enhanced Western grid integration in general, and the emergence of a regional system operator in particular, would not expose California’s clean energy policies to additional legal risks. Shifting to a regional grid operator would enable more efficient, affordable and reliable integration of renewable resources without increasing the legal risk to California’s clean energy policies.”

The authors of the analysis, from the Yale Law School and the Yale School of Forestry and Environmental Studies, are Juliana Brint, Josh Constanti, Franz Hochstrasser. and Lucy Kessler. They dedicated months to the project, consulted with a diverse group of reviewers, and made the trek from New Haven to Folsom, CA, to visit the California Independent System Operator and interview key staff members.

Related News

• Electricity Forum News

• Grid Technologies News

Russian Cyberattacks on U.S. Critical Infrastructure target energy grids, nuclear plants, water systems, and aviation, DHS and FBI warn, using spear phishing, malware, and ICS/SCADA intrusion to gain footholds for potential sabotage and disruption.

Key Points

State-backed hacks targeting U.S. energy, nuclear, water and aviation via phishing and ICS access for sabotage.

✅ DHS and FBI detail multi-stage intrusion since 2016

✅ Targets include energy, nuclear, water, aviation, manufacturing

✅ TTPs: spear phishing, lateral movement, ICS reconnaissance

Russia is attacking the U.S. energy grid, with reported power plant breaches unfolding alongside attacks on nuclear facilities, water processing plants, aviation systems, and other critical infrastructure that millions of Americans rely on, according to a new joint analysis by the FBI and the Department of Homeland Security.

In an unprecedented alert, the US Department of Homeland Security (DHS) and FBI have warned of persistent attacks by Russian government hackers on critical US government sectors, including energy, nuclear, commercial facilities, water, aviation and manufacturing.

The alert details numerous attempts extending back to March 2016 when Russian cyber operatives targeted US government and infrastructure.

The DHS and FBI said: “DHS and FBI characterise this activity as a multi-stage intrusion campaign by Russian government cyber-actors who targeted small commercial facilities’ networks, where they staged malware, conducted spear phishing and gained remote access into energy sector networks.

“After obtaining access, the Russian government cyber-actors conducted network reconnaissance, moved laterally and collected information pertaining to industrial control systems.”

The Trump administration has accused Russia of engineering a series of cyberattacks that targeted American and European nuclear power plants and water and electric systems, and could have sabotaged or shut power plants off at will.

#google#

United States officials and private security firms saw the attacks as a signal by Moscow that it could disrupt the West’s critical facilities in the event of a conflict.

They said the strikes accelerated in late 2015, at the same time the Russian interference in the American election was underway. The attackers had compromised some operators in North America and Europe by spring 2017, after President Trump was inaugurated.

In the following months, according to the DHS/FBI report, Russian hackers made their way to machines with access to utility control rooms and critical control systems at power plants that were not identified. The hackers never went so far as to sabotage or shut down the computer systems that guide the operations of the plants.

Still, new computer screenshots released by the Department of Homeland Security have made clear that Russian state hackers had the foothold they would have needed to manipulate or shut down power plants.

“We now have evidence they’re sitting on the machines, connected to industrial control infrastructure, that allow them to effectively turn the power off or effect sabotage,” said Eric Chien, a security technology director at Symantec, a digital security firm.

“From what we can see, they were there. They have the ability to shut the power off. All that’s missing is some political motivation,” Mr. Chien said.

American intelligence agencies were aware of the attacks for the past year and a half, and the Department of Homeland Security and the F.B.I. first issued urgent warnings to utility companies in June, 2017. Both DHS/FBI have now offered new details as the Trump administration imposed sanctions against Russian individuals and organizations it accused of election meddling and “malicious cyberattacks.”

It was the first time the administration officially named Russia as the perpetrator of the assaults. And it marked the third time in recent months that the White House, departing from its usual reluctance to publicly reveal intelligence, blamed foreign government forces for attacks on infrastructure in the United States.

In December, the White House said North Korea had carried out the so-called WannaCry attack that in May paralyzed the British health system and placed ransomware in computers in schools, businesses and homes across the world. Last month, it accused Russia of being behind the NotPetya attack against Ukraine last June, the largest in a series of cyberattacks on Ukraine to date, paralyzing the country’s government agencies and financial systems.

But the penalties have been light. So far, President Trump has said little to nothing about the Russian role in those attacks.

The groups that conducted the energy attacks, which are linked to Russian intelligence agencies, appear to be different from the two hacking groups that were involved in the election interference.

That would suggest that at least three separate Russian cyberoperations were underway simultaneously. One focused on stealing documents from the Democratic National Committee and other political groups. Another, by a St. Petersburg “troll farm” known as the Internet Research Agency, used social media to sow discord and division. A third effort sought to burrow into the infrastructure of American and European nations.

For years, American intelligence officials tracked a number of Russian state-sponsored hacking units as they successfully penetrated the computer networks of critical infrastructure operators across North America and Europe, including in Ukraine.

Some of the units worked inside Russia’s Federal Security Service, the K.G.B. successor known by its Russian acronym, F.S.B.; others were embedded in the Russian military intelligence agency, known as the G.R.U. Still others were made up of Russian contractors working at the behest of Moscow.

Russian cyberattacks surged last year, starting three months after Mr. Trump took office.

American officials and private cybersecurity experts uncovered a series of Russian attacks aimed at the energy, water and aviation sectors and critical manufacturing, including nuclear plants, in the United States and Europe. In its urgent report in June, the Department of Homeland Security and the F.B.I. notified operators about the attacks but stopped short of identifying Russia as the culprit.

By then, Russian spies had compromised the business networks of several American energy, water and nuclear plants, mapping out their corporate structures and computer networks.

They included that of the Wolf Creek Nuclear Operating Corporation, which runs a nuclear plant near Burlington, Kan. But in that case, and those of other nuclear operators, Russian hackers had not leapt from the company’s business networks into the nuclear plant controls.

Forensic analysis suggested that Russian spies were looking for inroads — although it was not clear whether the goal was to conduct espionage or sabotage, or to trigger an explosion of some kind.

In a report made public in October, Symantec noted that a Russian hacking unit “appears to be interested in both learning how energy facilities operate and also gaining access to operational systems themselves, to the extent that the group now potentially has the ability to sabotage or gain control of these systems should it decide to do so.”

The United States sometimes does the same thing. It bored deeply into Iran’s infrastructure before the 2015 nuclear accord, placing digital “implants” in systems that would enable it to bring down power grids, command-and-control systems and other infrastructure in case a conflict broke out. The operation was code-named “Nitro Zeus,” and its revelation made clear that getting into the critical infrastructure of adversaries is now a standard element of preparing for possible conflict.

Reconstructed screenshot fragments of a Human Machine Interface that the threat actors accessed, according to DHS

Sanctions Announced

The US treasury department has imposed sanctions on 19 Russian people and five groups, including Moscow’s intelligence services, for meddling in the US 2016 presidential election and other malicious cyberattacks.

Russia, for its part, has vowed to retaliate against the new sanctions.

The new sanctions focus on five Russian groups, including the Russian Federal Security Service, the country’s military intelligence apparatus, and the digital propaganda outfit called the Internet Research Agency, as well as 19 people, some of them named in the indictment related to election meddling released by special counsel Robert Mueller last month.

In announcing the sanctions, which will generally ban U.S. people and financial institutions from doing business with those people and groups, the Treasury Department pointed to alleged Russian election meddling, involvement in the infrastructure hacks, and the NotPetya malware, which the Treasury Department called “the most destructive and costly cyberattack in history.”

The new sanctions come amid ongoing criticism of the Trump administration’s reluctance to punish Russia for cyber and election meddling. Sen. Mark Warner (D-Va.) said that, ahead of the 2018 mid-term elections, the administration’s decision was long overdue but not enough. “Nearly all of the entities and individuals who were sanctioned today were either previously under sanction during the Obama Administration, or had already been charged with federal crimes by the Special Counsel,” Warner said.

Warning: The Russians Are Coming

In an updated warning to utility companies, DHS/FBI officials included a screenshot taken by Russian operatives that proved they could now gain access to their victims’ critical controls, prompting a renewed focus on protecting the U.S. power grid among operators.

American officials and security firms, including Symantec and CrowdStrike, believe that Russian attacks on the Ukrainian power grid in 2015 and 2016 that left more than 200,000 citizens there in the dark are an ominous sign of what the Russian cyberstrikes may portend in the United States and Europe in the event of escalating hostilities.

Private security firms have tracked the Russian government assaults on Western power and energy operators — conducted alternately by groups under the names Dragonfly campaigns alongside Energetic Bear and Berserk Bear — since 2011, when they first started targeting defense and aviation companies in the United States and Canada.

By 2013, researchers had tied the Russian hackers to hundreds of attacks on the U.S. power grid and oil and gas pipeline operators in the United States and Europe. Initially, the strikes appeared to be motivated by industrial espionage — a natural conclusion at the time, researchers said, given the importance of Russia’s oil and gas industry.

But by December 2015, the Russian hacks had taken an aggressive turn. The attacks were no longer aimed at intelligence gathering, but at potentially sabotaging or shutting down plant operations.

At Symantec, researchers discovered that Russian hackers had begun taking screenshots of the machinery used in energy and nuclear plants, and stealing detailed descriptions of how they operated — suggesting they were conducting reconnaissance for a future attack.

Eventhough the US government enacted sanctions, cybersecurity experts are still questioning where the Russian attacks could lead, given that the United States was sure to respond in kind.

“Russia certainly has the technical capability to do damage, as it demonstrated in the Ukraine,” said Eric Cornelius, a cybersecurity expert at Cylance, a private security firm, who previously assessed critical infrastructure threats for the Department of Homeland Security during the Obama administration.

“It is unclear what their perceived benefit would be from causing damage on U.S. soil, especially given the retaliation it would provoke,” Mr. Cornelius said.

Though a major step toward deterrence, publicly naming countries accused of cyberattacks still is unlikely to shame them into stopping. The United States is struggling to come up with proportionate responses to the wide variety of cyberespionage, vandalism and outright attacks.

Lt. Gen. Paul Nakasone, who has been nominated as director of the National Security Agency and commander of United States Cyber Command, the military’s cyberunit, said during his recent Senate confirmation hearing, that countries attacking the United States so far have little to worry about.

“I would say right now they do not think much will happen to them,” General Nakasone said. He later added, “They don’t fear us.”

Related News

• Electricity Forum News

• Grid Technologies News

Russia Bitcoin Mining Ban highlights electricity deficits, grid stability concerns, and sustainability challenges, prompting stricter cryptocurrency regulation as mining operations in Siberia face shutdowns, relocations, and renewed focus on energy efficiency and resource allocation.

Key Points

Policy halting Bitcoin mining in key regions to ease electricity deficits, stabilize the grid, and prioritize energy.

✅ Targets high-load regions like Siberia facing electricity deficits

✅ Protects residential and industrial energy security, limits outages

✅ Prompts miner relocations, regulation, and potential renewables

In a significant shift in its stance on cryptocurrency, Russia has announced plans to ban Bitcoin mining in several key regions, primarily due to rising electricity deficits. This move highlights the ongoing tensions between energy management and the growing demand for cryptocurrency mining, which has sparked a robust debate about sustainability and resource allocation in the country.

Background on Bitcoin Mining in Russia

Russia has long been a major player in the global cryptocurrency landscape, particularly in Bitcoin mining. The country’s vast and diverse geography offers ample opportunities for mining, with several regions boasting low electricity costs and cooler climates that are conducive to operating the high-powered computers used for mining, similar to Iceland's mining boom in cold regions.

However, the boom in mining activities has put a strain on local electricity grids, as seen with BC Hydro suspensions in Canada, particularly as demand for energy continues to rise. This situation has become increasingly untenable, leading government officials to reconsider the viability of allowing large-scale mining operations.

Reasons for the Ban

The decision to ban Bitcoin mining in certain regions stems from a growing electricity deficit that has been exacerbated by both rising temperatures and increased energy consumption. Reports indicate that some regions are struggling to meet domestic energy needs, and jurisdictions like Manitoba's pause on crypto connections reflect similar grid concerns, particularly during peak consumption periods. Officials have expressed concern that continuing to support cryptocurrency mining could lead to blackouts and further strain on the electrical infrastructure.

Additionally, this ban is seen as a measure to redirect energy resources toward more critical sectors, including residential heating and industrial needs. By curbing Bitcoin mining, the government aims to prioritize the energy security of its citizens and maintain stability within its energy markets and the wider global electricity market dynamics.

Regional Impact

The regions targeted by the ban include areas that have seen a significant influx of mining operations, often attracted by the low costs of electricity. For instance, Siberia, known for its abundant natural resources and inexpensive power, has become a major center for miners. The ban is likely to have profound implications for local economies that have come to rely on the influx of investments from cryptocurrency companies.

Many miners are expected to be affected financially as they may have to halt operations or relocate to regions with more favorable regulations. This could lead to job losses and a decline in local business activities that have sprung up around the mining industry, such as hardware suppliers and tech services.

Broader Implications for Cryptocurrency in Russia

This ban reflects a broader trend within Russia’s approach to cryptocurrencies. While the government has been cautious about outright banning digital currencies, it has simultaneously sought to regulate the industry more stringently. Recent legislation has aimed to establish a legal framework for cryptocurrencies, focusing on taxation and oversight while navigating the balance between innovation and regulation.

As other countries around the world grapple with the implications of cryptocurrency mining, Russia’s decision adds to the narrative of the challenges associated with energy consumption in this sector. The international community is increasingly aware of the environmental impact of Bitcoin mining, which has come under fire for its significant energy use and carbon footprint.

Future of Mining in Russia

Looking ahead, the future of Bitcoin mining in Russia remains uncertain. While some regions may implement strict bans, others could potentially embrace a more regulated approach to mining, provided it aligns with energy availability and environmental considerations. The country’s vast landscape offers opportunities for innovative solutions, such as utilizing renewable energy sources, even as India's solar growth slows amid rising coal generation, to power mining operations.

As global attitudes toward cryptocurrency evolve, Russia will likely continue to adapt its policies in response to both domestic energy needs and international pressures, including Europe's shift away from Russian energy that influence policy choices. The balance between fostering a competitive cryptocurrency market and ensuring energy sustainability will be a key challenge for Russian policymakers moving forward.

Russia’s decision to ban Bitcoin mining in key regions marks a pivotal moment in the intersection of cryptocurrency and energy management. As the nation navigates its energy deficits, the implications for the mining industry and the broader cryptocurrency landscape will be significant. This move not only underscores the need for responsible energy consumption in the digital age but also reflects the complexities of integrating emerging technologies within existing frameworks of governance and infrastructure. As the situation unfolds, all eyes will be on how Russia balances innovation with sustainability in its approach to cryptocurrency.

Related News

• Electricity Forum News

• Renewable Energy News

EU Smart Meter Analytics integrates AMI data with grid edge platforms, enabling back-office efficiency, revenue assurance, and customer insights via cloud and PaaS solutions, while system integration cuts costs and improves utility performance.

Key Points

EU smart meter analytics uses AMI data and cloud to improve utility performance, revenue assurance, and outcomes.

✅ AMI underpins grid edge analytics and utility IT/OT integration

✅ Cloud and PaaS reduce costs and scale data-driven applications

✅ Focus shifts from meter rollout to back-office and revenue analytics

Europe's investment in smart meters has begun to open up the market for analytics that benefit both utilities and customers.

Two new reports from GTM Research demonstrate the substantial investment in both advanced metering infrastructure (AMI) and specific customer analytics segments -- the first report analyzes the progress of AMI deployment in Europe, while the second is a comprehensive assessment of analytics use cases, including AI in utility operations, enabled by or interacting with AMI.

The Third Energy Package mandated EU member states to perform a cost-benefit analysis to evaluate the economic viability of deploying smart meters and broader grid modernization costs across member states. Two-thirds of the member states found there was a net positive result, while seven members found negative or inconclusive results.

“The mandate spurred AMI deployment in the EU, but all member states are deploying some AMI. Even without an overall positive cost-benefit outcome, utilities found pockets of customers where there is a positive business case for AMI,” said Paulina Tarrant, research associate at GTM Research and lead author of “Racing to 2020: European Policy, Deployment and Market Share Primer.”

Annual AMI contracting peaked in 2013 -- two years after the mandate -- with 29 million contracted that year. Today, 100 million meters have been contracted overall. As member states reach their respective targets, the AMI market will cool in Europe and spending on analytics and applications will continue to ramp up, aligning with efforts to invest in smarter infrastructure across the sector, Tarrant noted.

Between 2017 and 2021, more than $30 billion will be spent on utility back-office and revenue-assurance analytics in the EU, reflecting the shift toward the digital grid architecture, according to GTM Research’s Grid Edge Customer Utility Analytics Ecosystems: Competitive Analysis, Forecasts and Case Studies.

The report examines the broad landscape of customer analytics showing how AMI interacts with the larger IT/OT environment of a utility.

“The benefits of AMI expand beyond revenue assurance -- in fact, AMI represents the backbone of many customer utility analytics and grid edge solutions,” said Timotej Gavrilovic, author of the Grid Edge Customer Utility Ecosystems report.

Integration is key, according to the report.

“Technology providers are integrating data sets, solutions and systems and partnering with others to provide a one-stop shop serving broad utility needs, increasing efficiencies and reducing costs,” Gavrilovic said. “Cloud-based deployments and platform-as-a-service offerings are becoming commonplace, creating an opportunity for utilities to balance the cost versus performance tradeoff to optimize their analytics systems and applications.”

A diverse array of customer analytics applications is a critical foundation for demonstrating the positive cost-benefit of AMI.

“Advanced analytics and applications are key to ensuring that AMI investments provide a positive return after smart meters are initiated,” said Tarrant. “Improved billing and revenue assurance was not enough everywhere to show customer benefit -- these analytics packages will leverage the distributed network infrastructure, including advanced inverters used with distributed energy resources, and subsequent increased data access, uniting the electricity markets of the EU.”

Related News

• Electricity Forum News

• Grid Technologies News

Dragonfly energy sector cyberattacks target ICS and SCADA across critical infrastructure, including the power grid and nuclear facilities, using spearphishing, watering-hole sites, supply-chain compromises, malware, and VPN exploits to gain operational access.

Key Points

Dragonfly APT campaigns target energy firms and ICS to gain grid access, risking manipulation and service disruption.

✅ Breaches leveraged spearphishing, watering-hole sites, and supply chains.

✅ Targeted ICS, SCADA, VPNs to pivot into operational networks.

✅ Aimed to enable power grid manipulation and potential outages.

An October, 2017 report by researchers at Symantec Corp., cited by the U.S. government, has linked recent US power grid cyber attacks to a group of hackers it had code-named "Dragonfly", and said it found evidence critical infrastructure facilities in Turkey and Switzerland also had been breached.

The Symantec researchers said an earlier wave of attacks by the same group starting in 2011 was used to gather intelligence on companies and their operational systems. The hackers then used that information for a more advanced wave of attacks targeting industrial control systems that, if disabled, leave millions without power or water.

U.S. intelligence officials have long been concerned about the security of the country’s electrical grid. The recent attacks, condemned by the U.S. government, striking almost simultaneously at multiple locations, are testing the government’s ability to coordinate an effective response among several private utilities, state and local officials, and industry regulators.

#google#

While the core of a nuclear generator is heavily protected, a sudden shutdown of the turbine can trigger safety systems. These safety devices are designed to disperse excess heat while the nuclear reaction is halted, but the safety systems themselves may be vulnerable to attack.

The operating systems at nuclear plants also tend to be legacy controls built decades ago and don’t have digital control systems that can be exploited by hackers.

“Since at least March 2016, Russian government cyber actors… targeted government entities and multiple U.S. critical infrastructure sectors, including the energy, nuclear, commercial facilities, water, aviation, and critical manufacturing sectors,” according to Thursday’s FBI and Department of Homeland Security report. The report did not say how successful the attacks were or specify the targets, but said that the Russian hackers “targeted small commercial facilities’ networks where they staged malware, conducted spearphishing, and gained remote access into energy sector networks.” At least one target of a string of infrastructure attacks last year was a nuclear power facility in Kansas.

Symantec doesn’t typically point fingers at particular nations in its research on cyberattacks, said Eric Chien, technical director of Symantec’s Security Technology and Response division, though he said his team doesn’t see anything it would disagree with in the new federal report. The government report appears to corroborate Symantec’s research, showing that the hackers had penetrated computers and accessed utility control rooms that would let them directly manipulate power systems, he says.

“There were really no more technical hurdles for them to do something like flip off the power,” he said.

And as for the group behind the attacks, Chien said it appears to be relatively dormant for now, but it has gone quiet in the past only to return with new hacks.

“We expect they’re sort of retooling now, and they likely will be back,”

In some cases, Dragonfly successfully broke into the core systems that control US and European energy companies, Symantec revealed.

“The energy sector has become an area of increased interest to cyber-attackers over the past two years,” Symantec said in its report.

“Most notably, disruptions to Ukraine’s power system in 2015 and 2016 were attributed to a cyberattack and led to power outages affecting hundreds of thousands of people. In recent months, there have also been media reports of attempted attacks on the electricity grids in some European countries, as well as reports of companies that manage nuclear facilities in the US being compromised by hackers.

“The Dragonfly group appears to be interested in both learning how energy facilities operate and also gaining access to operational systems themselves, to the extent that the group now potentially has the ability to sabotage or gain control of these systems should it decide to do so. Symantec customers are protected against the activities of the Dragonfly group.”

In recent weeks, senior US intelligence officials said that the Kremlin believes it can launch hacking operations against the West with impunity, including a cyber weapon that can disrupt power grids, according to assessments.

The DHS and FBI report further elaborated: “This campaign comprises two distinct categories of victims: staging and intended targets. The initial victims are peripheral organisations such as trusted third-party suppliers with less-secure networks, referred to as ‘staging targets’ throughout this alert.

“The threat actors used the staging targets’ networks as pivot points and malware repositories when targeting their final intended victims. National Cybersecurity and Communications Integration Center and FBI judge the ultimate objective of the actors is to compromise organisational networks, also referred to as the ‘intended target’.”

According to the US alert, hackers used a variety of attack methods, including spear-phishing emails, watering-hole domains, credential gathering, open source and network reconnaissance, host-based exploitation, and deliberate targeting of ICS infrastructure.

The attackers also targeted VPN software and used password cracking tools.

Once inside, the attackers downloaded tools from a remote server and then carried out a number of actions, including modifying key systems to store plaintext credentials in memory, and built web shells to gain command and control of targeted systems.

“This actors’ campaign has affected multiple organisations in the energy, nuclear, water, aviation, construction and critical manufacturing sectors, with hundreds of victims across the U.S. power grid confirmed,” the DHS said, before outlining a number of steps that IT managers in infrastructure organisations can take to cleanse their systems and defend against Russian hackers. he said.
 

Related News

• Electricity Forum News

• Grid Technologies News

Crouching Yeti APT targets energy infrastructure with watering-hole attacks, compromising servers to steal credentials and stage intrusions; Kaspersky Lab links the Energetic Bear group to ICS threats across Russia, US, Europe, and Turkey.

Key Points

Crouching Yeti APT, aka Energetic Bear, is a threat group that targets energy firms using watering-hole attacks.

✅ Targets energy infrastructure via watering-hole compromises

✅ Uses open-source tools and backdoored sshd for persistence

✅ Scans global servers to stage intrusions and steal credentials

A hacker collective known for attacking industrial companies around the world have had some of their infrastructure identified by Russian security specialists.

Kaspersky Lab said that it has discovered a number of servers compromised by the group, belonging to different organisations based in Russia, the US, and Turkey, as well as European countries.

The Russian-speaking hackers, known as Crouching Yeti or Energetic Bear, mostly focus on energy facilities, as seen in reports of infiltration of the U.S. power grid targeting critical infrastructure, for the main purpose of stealing valuable data from victim systems.

Hacked servers

Crouching Yeti is described as an advanced persistent threat (APT) group that Kaspersky Lab has been tracking since 2010.

#google#

Kaspersky Lab said that the servers it has compromised are not just limited to industrial companies. The servers were hit in 2016 and 2017 with different intentions. Some were compromised to gain access to other resources or to be used as intermediaries to conduct attacks on other resources.

Others, including those hosting Russian websites, were used as watering holes.

It is a common tactic for Crouching Yeti to utilise watering hole attacks where the attackers inject websites with a link redirecting visitors to a malicious server.

“In the process of analysing infected servers, researchers identified numerous websites and servers used by organisations in Russia, US, Europe, Asia and Latin America that the attackers had scanned with various tools, possibly to find a server that could be used to establish a foothold for hosting the attackers’ tools and to subsequently develop an attack,” said the security specialists in a blog posting.

“The range of websites and servers that captured the attention of the intruders is extensive,” the firm said. “Kaspersky Lab researchers found that the attackers had scanned numerous websites of different types, including online stores and services, public organisations, NGOs, manufacturing, etc.

Kaspersky Lab said that the hackers used publicly available malicious tools, designed for analysing servers, and for seeking out and collecting information. The researchers also found a modified sshd file with a preinstalled backdoor. This was used to replace the original file and could be authorised with a ‘master password’.

“Crouching Yeti is a notorious Russian-speaking group that has been active for many years and is still successfully targeting industrial organisations through watering hole attacks, among other techniques,” explained Vladimir Dashchenko, head of vulnerability research group at Kaspersky Lab ICS CERT.

Russian government?

“Our findings show that the group compromised servers not only for establishing watering holes, but also for further scanning, and they actively used open-sourced tools that made it much harder to identify them afterwards,” he said.

“The group’s activities, such as initial data collection, the theft of authentication data, and the scanning of resources, are used to launch further attacks,” said Dashchenko. “The diversity of infected servers and scanned resources suggests the group may operate in the interests of the third parties.”

This may well tie into a similar conclusion from a rival security vendor.

In 2014 CrowdStrike claimed that the ‘Energetic Bear’ group was also tracked in Symantec's Dragonfly research and had been hacking foreign companies on behalf of the Russian state.

The security vendor had said the group had been carrying out attacks on foreign companies since 2012, with reports of breaches at U.S. power plants that underscored the campaign, and there was evidence that these operations were sanctioned by the Russian government.

Last month the United States for the first time publicly accused Russia in a condemnation of Russian grid hacking of attacks against the American power grid.

Symantec meanwhile warned last year of a resurgence in cyber attacks on European and US energy companies, including reports of access to U.S. utility control rooms that could result in widespread power outages.

And last July the UK’s National Cyber Security Centre (NCSC) acknowledged it was investigating a broad wave of attacks on companies in the British energy and manufacturing sectors.

Related News

• Electricity Forum News

• Grid Technologies News