Since May 2017, hackers have been infiltrating into the corporate networks of nuclear power plants and the companies manufacturing facilities for them.

While some credentials have been stolen, the air gap keeps protecting the networks controlling the plants, so there’s no reason to worry about a meltdown or smaller nuclear incidents. As the main threat must be viewed the hackers potential ability to disrupt the North American power grid.

Similar attacks have been observed twice in Ukraine: in December 2015, when hackers caused a bulk of black-outs by infecting the networks with BlackEnergy and ordering it to break the circuits, and one year later, when Industroyer, aka CrashOverride, was used, which is the second ever known cybersabotage weapon.

Carefully analysed by two cyber security firms, ESET from Slovakia and Dragos from the United States, Industroyer was described as a sophisticated tool for disrupting power grid control systems which abuses ICS protocols utilized in the ex-USSR and wipes out the operator workstations.

A bit modified, the malware could be able to abuse North American control protocols as well. Luckily, a blackout wouldn’t last fore more than a few hours since the operators could turn on the switches manually as their Ukrainian colleagues did.

At the same time, if the hackers were going to cause a handful of blackouts, why would they need to concentrate on nuclear sites? Bloomberg suspect Russia of the ongoing attack as it may have been behind the attack on Ukraine.

However, the news and media company recognize: “Determining who is behind an attack can be tricky. Government officials look at the sophistication of the tools, among other key markers, when gauging whether a foreign government is sponsoring cyber activities.” They add: “Several private security firms are studying data on the attacks, but none has linked the work to a particular hacking team or country.”

We suppose if Russia has really targeted Ukrainian grid control systems, it would do the same in the USA. There are countries much more interested in sabotaging American nuclear power plants and/or industrial espionage.

The hackers appear to be planting backdoors into the corporate networks to collect intelligence and to decide what to do next. The methods they use are phishing and water holing.

According to The New York Times, phishing emails looked like job applications, with attached fake CVs, which are actually malicious documents.

Water holing is a three-step attack: the hackers need to investigate which sites the employees of the targeted organization use or visit and to compromise them. The latter is to serve as a footstep. Compromising M.E.Doc in order to infect multiple businesses with Petya (aka NotPetya) is an example of the technique.

Anyway, there has been no evidence by now a nuclear incident may be caused. “There is no indication of a threat to public safety, as any potential impact appears to be limited to administrative and business networks,” said a spokesperson for the Department of Homeland Security in a joint statement with the FBI.

Of course, the air gap can be jumped over by a Stuxnet-like virus, but the automation used at nuclear sites is designed in the way preventing the software and the operators from causing dangerous operating modes.

Photo credit: Maria on Flickr.