Hackers stole data belonging to multiple electric utilities in an October ransomware attack on a US government contractor that handles critical infrastructure projects across the country, according to a memo describing the hack obtained by CNN.
Federal officials have closely monitored the incident for any potential broader impact on the US power sector while private investigators have combed the dark web for the stolen data, according to the memo sent this month to power company executives by the North American grid regulator’s cyberthreat sharing center.
The previously unreported incident is a window into how ransomware attacks on critical US companies are handled behind the scenes as lawyers and federal investigators quietly spring into action to determine the extent of the damage.
The ransomware attack hit Chicago-based Sargent & Lundy, an engineering firm that has designed more than 900 power stations and thousands of miles of power systems and that holds sensitive data on those projects.
The firm also handles nuclear security issues, working with the departments of Defense, Energy and other agencies “to strengthen nuclear deterrence” and keep weapons of mass destruction out of terrorists’ hands, according to its website.
Two people familiar with the investigation of the Sargent & Lundy hack told CNN that the incident was contained and remediated, and didn’t appear to have a broader impact on other power-sector firms.
There is no sign that data stolen from Sargent & Lundy, which includes “model files” and “transmission data” the firm uses for utility projects, is on the dark web, according to the memo from the Electricity Information Sharing and Analysis Center.
But security experts have long been concerned that schematics held by electric and nuclear power contractors could be dumped online and used for follow-on physical or cyberattacks on those facilities.
“These are literally the configurations for your programmable logic controllers, your relays,” said longtime security consultant Patrick Miller, referring to critical electric equipment that keeps the lights on. “We’re really concerned about the data that’s in those organizations.”
Those concerns are particularly acute following a spate of physical attacks and vandalism at electric utilities in multiple states. Tens of thousands of people lost power in Moore County, North Carolina, this month after Duke Energy substations were damaged by gunfire. On Christmas, thousands of people lost power in a Washington county after someone vandalized multiple substations there.
“We’re fully recovered from the incident, which had minimal impact on our normal business operations,” Brenda Romero, a spokesperson for Sargent & Lundy, said in a statement to CNN. Romero said the firm “notified law enforcement” of the hack.
Romero declined to answer further questions on the ransomware attack, including whether the hackers had tried to extort Sargent & Lundy, citing an ongoing investigation.
The Biden administration has urged companies to share data on such hacks as US officials have tried to get a grip on the epidemic of ransomware, which has cost critical infrastructure firms many millions of dollars.
The hackers that hit Sargent & Lundy used a strain of ransomware known as Black Basta that first surfaced early this year, according to two people familiar with the investigation. Scores of Black Basta attacks have been reported since April, according to cybersecurity firm Palo Alto Networks. The hackers steal data from their victims to give them added leverage in ransom negotiations.
Sargent & Lundy is one of several engineering firms whose work on critical infrastructure projects cuts across different sectors of the economy. For US cybersecurity officials, this engineering work can be harder to evaluate in terms of its risk to supply chain security than a firm that only makes software.
Federal regulations require electric utilities to maintain certain cybersecurity standards for protecting their systems from hacks. Companies that contract with those utilities, such as Sargent & Lundy, aren’t necessarily held to the same standard and are instead bound by the security requirements in the contract, experts told CNN.
“Utilities are effectively allowed to accept as much risk as they want,” said Miller, who is CEO of Oregon-based Ampere Industrial Security, a consulting firm. “Is it perfect? No, but [the contractors] are being assessed [for their security] in some ways through the utilities.”