By Jason Murdock, NEWSWEEK
Hackers working for a state-sponsored cyber-espionage unit with alleged links to Russia could have caused electricity blackouts in the U.S. last year after gaining access to some utility control rooms, a Department of Homeland Security (DHS) official disclosed this week.
Jonathan Homer, chief of industrial control system analysis at the agency, said that hackers “got to the point where they could have thrown switches” and mess with power flows, according to the Wall Street Journal, which first reported the news from a federal briefing on Monday.
(Learn More. CBS News has learned hackers related to Russia gained access to the control rooms of U.S. electric utilities in 2016 and 2017, and were able to compromise the grid the point where they could have interrupted power flows and caused blackouts. CBS News justice and homeland security correspondent Jeff Pegues joins CBSN to discuss his reporting. Courtesy of CBS News and YouTube. Posted on Jul 24, 2018.)
Homer said there had been “hundreds of victims” since the attacks began in 2016, but they have not been named.
It remains unclear to what extent they were compromised.
The cyberattack, he warned, may be ongoing.
But experts in the national infrastructure field this week remained skeptical of his claims, stressing that language used in such incidents is often overblown.
According to the DHS, the culprits work for a Russian hacking unit.
Active since 2010, the unit has had various code names, including Energetic Bear, Crouching Yeti and Dragonfly.
It has been well-documented over the years by government and private sector security experts including Homeland Security’s ICS-CERT alongside Kaspersky Lab, FireEye and Symantec.
Russian Government Cyber Activity Targeting Energy and Other Critical Infrastructure Sectors – Alert (TA18-074A)
Since at least March 2016, Russian government cyber actors—hereafter referred to as “threat actors”—targeted government entities and multiple U.S. critical infrastructure sectors, including the energy, nuclear, commercial facilities, water, aviation, and critical manufacturing sectors.
Analysis by DHS and FBI, resulted in the identification of distinct indicators and behaviors related to this activity.
Of note, the report Dragonfly: Western energy sector targeted by sophisticated attack group, released by Symantec on September 6, 2017, provides additional information about this ongoing campaign. 
This campaign comprises two distinct categories of victims: staging and intended targets.
The initial victims are peripheral organizations such as trusted third-party suppliers with less secure networks, referred to as “staging targets” throughout this alert.
The threat actors used the staging targets’ networks as pivot points and malware repositories when targeting their final intended victims.
The National Cybersecurity and Communications Integration Center (NCCIC) and FBI judge the ultimate objective of the actors is to compromise organizational networks, also referred to as the “intended target.”
The joint Technical Alert (TA) is the result of analytic efforts between the Department of Homeland Security (DHS) and the Federal Bureau of Investigation (FBI) providing information on Russian government actions targeting U.S. Government entities as well as organizations in the energy, nuclear, commercial facilities, water, aviation, and critical manufacturing sectors.
It also contains indicators of compromise (IOCs) and technical details on the tactics, techniques, and procedures (TTPs) used by Russian government cyber actors on compromised victim networks.
DHS and FBI produced this alert to educate network defenders to enhance their ability to identify and reduce exposure to malicious activity.
DHS and FBI characterize this activity as a multi-stage intrusion campaign by Russian government cyber actors who targeted small commercial facilities’ networks where they staged malware, conducted spear phishing, and gained remote access into energy sector networks.
After obtaining access, the Russian government cyber actors conducted network reconnaissance, moved laterally, and collected information pertaining to Industrial Control Systems (ICS).
For additional information, view Alert (TA18-074A) at https://www.us-cert.gov/ncas/alerts/TA18-074A.
NCCIC Webinar Series on Russian Government Cyber Activity
NCCIC will conduct a series of webinars on Russian government cyber activity against critical infrastructure (as detailed in NCCIC Alert TA18-074A), which will feature NCCIC subject matter experts discussing recent cybersecurity incidents, mitigation techniques, and resources that are available to help protect critical assets.
The same webinar will be held from 1-2:30 p.m. ET on the dates listed below:
- Monday, July 30
- Wednesday, August 1