We can confirm that FireEye devices detected and stopped spear phishing emails sent on Sept. 22, 2017, to U.S. electric companies by known cyber threat actors likely affiliated with the North Korean government. This activity was early-stage reconnaissance, and not necessarily indicative of an imminent, disruptive cyber attack that might take months to prepare if it went undetected (judging from past experiences with other cyber threat groups). We have previously detected groups we suspect are affiliated with the North Korean government compromising electric utilities in South Korea, but these compromises did not lead to a disruption of the power supply.
We have not observed suspected North Korean actors using any tool or method specifically designed to compromise or manipulate the industrial control systems (ICS) networks that regulate the supply of power. Furthermore, we have not uncovered evidence that North Korean linked actors have access to any such capability at this time.
Nation-states often conduct cyber espionage operations to gather intelligence and prepare for contingencies, especially at times of high tension. FireEye has detected more than 20 cyber threat groups suspected to be sponsored by at least four other nation-states attempting to gain access to targets in the energy sector that could have been used to cause disruptions. The few examples of disruptions to energy sector operations being caused by cyber operations required additional technical and operational steps that these North Korean actors do not appear to have taken nor have shown the ability to take.
In December 2014, the South Korean Government reported that nuclear power plants operated by Korea Hydro and Nuclear Power (KHNP) were targeted with wiper malware, potentially linked to North Korean actors. This incident did not demonstrate the ability to disable operations. Instead, sensitive KHNP documents were leaked by the actors as part of an effort to exaggerate the access they had and embarrass the South Korean Government, a technique we assess North Korea would turn to again in order to instill fear and/or meet domestic propaganda aims.
Thus far, the suspected North Korean actions are consistent with a desire to demonstrate a deterrent capability rather than a prelude to an unprovoked first-strike in cyberspace; however, North Korea linked actors are bold, have launched multiple cyber attacks designed to demonstrate national strength and resolve, and have little concern for potential discovery and attribution of their operations. They likely remain committed to pursuing targets in the energy sector, especially in South Korea and among the U.S. and its allies, as a means of deterring potential war or sowing disorder during a time of armed conflict.
The number of nation-states developing the capability to disable the operations of power utilities has increased in recent years. For North Korea, even limited compromises of power companies would probably be exaggerated and hailed as a victory by Pyongyang.
North Korea linked hackers are among the most prolific nation-state threats, targeting not only the U.S. and South Korea but the global financial system and nations worldwide. Their motivations vary from economic enrichment to traditional espionage to sabotage, but all share the hallmark of an ascendant cyber power willing to violate international norms with little regard for potential blowback.