Q4 Threat Report
Throughout the fourth quarter of 2022, Fortress tracked major developments that have shifted the threat environment for the critical infrastructure supply chain. Between September and December, an unknown threat actor has been involved with at least 14 physical security events related to the US power grid infrastructure. These include attacks in the following states:
- North Carolina
- South Carolina
The attacks were split between small arms fire, physical destruction, fire, and in the case of Florida an unknown actor entering 5 substation facilities and manually shutting off equipment. The attacks are similar to the 2013 attacks on electric grid infrastructure in Metcalf, California, where a suspected group of attackers cut telecommunication lines and opened fire on transformers, shutting down the substation for repairs.
The FBI has started an investigation but has not released details other than confirmation of the attacks' and a request for information. Sealed warrants have been issued regarding the North Carolina attacks, indicating that law enforcement is aware of possible threat actors in the area. In February 2022, several suspects were arrested in Ohio for providing material support to a plot to attack power grids across the United States. The South Carolina incident was a random act, according to the local sheriff. According to the FBI, they were tied to white supremacist groups and intended the attacks to cause economic distress and civil unrest.1 While the recent attacks do not have a known goal, it is rumored that they are related to alt-right extremities. It can be assumed that more attacks will occur until the threat actor network is rolled up.
On the global front, Russian advances have been stalled and repelled in Ukraine. Putin is seemingly unwillingly to concede the war and will continue to push for gains. If Russia can outlast Western interest in Ukraine, the drawdown of funding/ weapons may help Russia reclaim territory they recently lost to the Ukrainian military advances. Russia attacks, both physical and electronic, on Ukrainian electric infrastructure have degraded the power reliability to the point of at least 10 million Ukrainians going without power for stretches of time. Attacks related to the war have also impacted US organizations tied to political branches or military through Q4.
Killsec, the Russian equivalent of Anonymous, has targeted various US government sites with Distributed-Denial-of-Service (DDoS) attacks and have had some success in temporarily shutting them down. an unknown actor breached a large political consulting firm that reported on New Jersey politics and offered the data on a breach site. US military contractors have suffered cyberattacks and breaches through the year, possibly stealing classified data. In addition to Russia, it is believed that China Iran, and North Korea have been involved in some of these attacks.
Looking forward to Q1, it is likely that more physical attacks on electric grid substations will occur. If substation security is improved, threat actors may expand their targeting to include other infrastructure. Depending on if the threat group is decentralized, attacks may continue even after the initial cell is arrested. Attacks on US political organizations will slow down as the election season is over. However, attacks on military contractors will continue, along with ransomware attacks. Sanctions against Russia have slowed ransomware attacks somewhat (compared to the first half of 2022) but are still at a high enough tempo to be the most dangerous threat to corporations. It is likely that with the physical attacks, Russia may pursue other clandestine destabilization efforts in the US as a response to our support for Ukraine.
Fortress Information Security (FIS) will continue to monitor these threats and will issue a new Quarterly Threat Report at the close of the current quarter.