Cybersecurity company FireEye Inc. said it detected and stopped North Korea-linked hackers targeting U.S. power companies in an email phishing campaign Sept. 22. FireEye announced the findings in an Oct. 10 report, amid growing tensions and threats of war between North Korean leader Kim Jong-un and U.S. President Donald Trump over the testing of intercontinental missiles and nuclear weapons by the isolated totalitarian regime in East Asia.
"This activity was early-stage reconnaissance, and not necessarily indicative of an imminent, disruptive cyber attack that might take months to prepare if it went undetected," said FireEye. "We have previously detected groups we suspect are affiliated with the North Korean government compromising electric utilities in South Korea, but these compromises did not lead to a disruption of the power supply."
FireEye added that its experts did not observe any suspected North Korea-backed hackers using any tools or methods specifically designed to compromise or manipulate the networks of industrial control systems that regulate the supply of electricity. Nor has the California-based company found any evidence so far that North Korea-linked hackers are capable of such attacks on industrial control systems networks.
In December 2014, U.S. ally South Korea blamed suspected North Korea-linked hackers for targeting nuclear power plants operated by Korea Hydro & Nuclear Power Co. Ltd. with wiper malware that leaked sensitive company documents.
"Thus far, the suspected North Korean actions are consistent with a desire to demonstrate a deterrent capability rather than a prelude to an unprovoked first-strike in cyberspace," said FireEye. "However, North Korea-linked actors are bold, have launched multiple cyber attacks designed to demonstrate national strength and resolve, and have little concern for potential discovery and attribution of their operations."
In response to the report, Scott Aaronson, executive director for security and business continuity for Edison Electric Institute, which represents all U.S. investor-owned electric utilities, confirmed in a statement that the transmission of electricity was not affected nor was there any impact on operations at power plants or systems controlling North America's power grid. “Phishing attacks are something that electric companies prepare for and deal with on a regular basis, often in coordination with security experts and industry stakeholders," said Aaronson. "Energy grid and power plant operators continue to monitor for any developments along with our government partners."
FireEye said North Korea-linked hackers, which are "among the most prolific nation-state threats," will likely remain committed to pursuing targets in the energy sector in South Korea, the U.S. and their allies as a means of deterring war or sowing chaos if war breaks out.
North Korea's alleged targeting of U.S. power companies occurred near the end of a four-month distributed denial of service, or DDoS, campaign by the U.S. against North Korea's spy headquarters at the General Bureau of Reconnaissance, also known as Bureau 121. As reported by The Washington Post, the overwhelming DDoS attacks on North Korean servers sought to cut off internet access to Bureau 121. The reported U.S. campaign, which expired Sept. 30, was authorized by an executive order by Trump.
The Korea Institute for Liberal Democracy in Seoul, South Korea, has estimated that North Korea has 6,800 trained hackers employed at Bureau 121, which is widely believed to have been behind the 2014 hack of Sony Pictures. South Korea also blamed its adversaries for the 2016 theft of 235 gigabytes of classified military documents from South Korea's Defense Integrated Data Center, including U.S.-South Korean war plans to target Pyongyang's communist leadership.
The U.S. departments of Energy and Homeland Security did not immediately return requests for comment.