The Department of Homeland Security confirmed late Tuesday that an American utility provider was hacked by a “sophisticated” hacker or group of hackers, whom successfully accessed the company’s control system network.
A DHS official told Reuters the department was able to close the security breach before attackers had a chance to affect the company’s operations, but the initial success of the attempt illustrates the growing challenge of securing the U.S.’s increasingly tech-reliant infrastructure against equally growing advances in cyber attacks.
The Web-based exploit hackers used to gain access to the control system was originally designed to give operators remote access, which attackers logged into after using a “brute force” hacking method to discover the password.
“In many cases, these devices have not been configured with adequate authentication mechanisms, thereby further increasing the chances of both opportunistic and targeted attempts to directly access these components,” the department wrote in its report.
“As tools and adversary capabilities advance, we expect that exposed systems will be more effectively discovered and targeted by adversaries.”
Homeland Security reports it wasn’t the first such attack against the company, which was not named, and that it was likely exposed to multiple threats.
The agency’s Industrial Control Systems Cyber Emergency Response Team does not publicly report attacks in order to encourage companies to come forward without fear of business repercussions, but did so in this case to highlight the need for companies to adopt stricter security measures over utility control systems — especially those with heavy public reliance.