Despite signing a nuclear deal forced through the US Congress by President Barack Obama, the Iranian government has continually pushed the limits.
Now a new report says the Islamic country may have access to dangerous amounts of data and passwords — and they could use it to shut down power for millions of Americans at any time.
Security researcher Brian Wallace was on the trail of hackers who had snatched a California university’s housing files when he stumbled into a larger nightmare: Cyberattackers had opened a pathway into the networks running the United States power grid.
Digital clues pointed to Iranian hackers. And Wallace found that they had already taken passwords, as well as engineering drawings of dozens of power plants, at least one with the title “Mission Critical.” The drawings were so detailed that experts say skilled attackers could have used them, along with other tools and malicious code, to knock out electricity flowing to millions of homes.
Experts say that so many attackers have stowed away in the systems that run the U.S. electric grid that analysts believe they likely have the capability to strike at will.
And that’s what worries Wallace and other cybersecurity experts most.
This attack is particularly disturbing because the cyber spies grabbed so much, according to interviews and previously unreported documents reported by the Associated Press.
In their attack, hackers grabbed user names and passwords that could be used to connect remotely to Calpine’s networks, which were being maintained by a data security company. Even if some of the information was outdated, experts say skilled hackers could have found a way to update the passwords and slip past firewalls to get into the operations network. Eventually, they say, the intruders could shut down generating stations, foul communications networks and possibly cause a blackout near the plants.
They also grabbed detailed engineering drawings of networks and power stations from New York to California — 71 in all — showing the precise location of devices that communicate with gas turbines, boilers and other crucial equipment attackers would need to hack specific plants.
Finally, there were additional diagrams showing how those local plants transmit information back to the company’s virtual cloud, knowledge attackers could use to mask their activity. For example, one map shows how information flows from the Agnews power plant in San Jose, California, near the San Francisco 49ers football stadium, to the company headquarters in Houston.
Wallace first came across the breach while tracking a new strain of noxious software that had been used to steal student housing files at the University of California, Santa Barbara.
“I saw a mention in our logs that the attackers stored their malware in some FTP servers online,” said Wallace, who had recently joined the Irvine, Calif.-based cybersecurity firm Cylance, Inc., fresh out of college. “It wasn’t even my job to look into it, but I just thought there had to be something more there.”
Wallace started digging. Soon, he found the FTP servers, typically used to transfer large numbers of files back and forth across the Internet, and the hackers’ ill-gotten data — a tranche of more than 19,000 stolen files from thousands of computers across the world, including key documents from Calpine.
Before Wallace could dive into the files, his first priority was to track where the hackers would strike next — and try to stop them.
He started staying up nights, often jittery on Red Bull, to reverse-engineer malware. He waited to get pinged that the intruders were at it again.
Months later, Wallace got the alert: From Internet Protocol addresses in Tehran, the hackers had deployed TinyZbot, a Trojan horse-style of software that the attackers used to gain backdoor access to their targets, log their keystrokes and take screen shots of their information. The hacking group, he would find, included members in the Netherlands, Canada, and the United Kingdom.
The more he followed their trail, the more nervous Wallace got.
Then he discovered evidence of the attackers’ most terrifying heist — a folder containing dozens of engineers’ diagrams of the Calpine power plants.
According to multiple sources, the drawings contained user names and passwords that an intruder would need to break through a firewall separating Calpine’s communications and operations networks, then move around in the network where the turbines are controlled. The schematics also displayed the locations of devices inside the plants’ process control networks that receive information from power-generating equipment. With those details, experts say skilled hackers could have penetrated the operations network and eventually shut down generating stations, possibly causing a blackout.
Circumstantial evidence such as snippets of Persian comments in the code helped investigators conclude that Iran was the source of the attacks.
As Deputy Energy Secretary Elizabeth Sherwood Randall said in a speech earlier this year, “If we don’t protect the energy sector, we are putting every other sector of the economy in peril.”
The Associated Press contributed to this article