The hacking campaign that infected numerous government agencies and tech companies with malicious SolarWinds software has also infected more than a dozen critical infrastructure companies in the electric, oil, and manufacturing industries who were also running the software, according to a security firm conducting investigations of some of the breaches.

In addition to these companies, the SolarWinds software also infected three firms that provide managed services to critical infrastructure industries, says Rob Lee, founder and CEO of Dragos, which specializes in industrial control system security for critical infrastructure and whose company discovered some of the infections.

The managed service providers, known in the industry as original equipment manufacturers or OEMs, sometimes have authorized remote access directly into critical parts of customer networks, as well as privileges that let them make changes to those networks, install new software, or even control critical operations. This means that hackers who breach such a provider can potentially use that provider’s credentials and access to control critical processes on their customers’ networks.

“If an OEM has access to a network, and it’s bi-directional, it’s usually for more sensitive equipment like turbine control, and you could actually do disruptive actions,” Lee told The Intercept. “But just because you have access doesn’t mean you know what to do or how to do it. It doesn’t mean they can then flip off the lights; they have to do more after that.”

But compromising an OEM does magnify the potential risks to multiple entities.

“[I]t’s particularly concerning because … compromising one OEM, depending on where you compromise them, could lead to access to thousands of organizations,” Lee said. “Two of the … OEMs that have been compromised … have access to hundreds of ICS networks around the world.”

He notes that in some cases the OEMs actually infected their customers with the SolarWinds software. Some of the OEMs use the SolarWinds software not just to manage and monitor their own networks, but they also have installed it on customer networks to manage and monitor those. And some of those customers weren’t aware the SolarWinds software was on their network, because it had been installed by their OEM as part of the OEM’s monitoring and maintenance package.

Lee wouldn’t identify the OEMs and doesn’t know if the SolarWinds hackers took an interest in the providers and further compromised them to gain access to the customer networks they remotely manage.

The SolarWinds software was compromised back in March; it installed a backdoor to provide an attacker access to the network of anyone who downloaded it in the last eight months. The backdoor, which security researchers at the security firm FireEye have dubbed SUNBURST, gathers information about the infected network then waits about two weeks before sending a beacon to a command-and-control server owned by the hackers, along with information about the infected network, to signal to them that the infected system is open for them to surreptitiously enter. The hackers would have used that network information to pick out high-value targets and determine which ones they wanted to burrow into further. Once inside an infected system and network, the hackers can download more malicious tools to it and steal employee credentials to gain access to more critical parts of the network to either collect valuable information or potentially to alter data or alter processes on those networks. Kevin Mandia, CEO of cybersecurity company FireEye, has said the attackers only entered about 50 of the thousands of entities that were infected with the backdoor.

Lee said some of the infections in the critical infrastructure sector occurred on the IT networks of the critical infrastructure entities, but others were on the actual industrial control system networks that control critical functions. There is currently no evidence, however, that the hackers used the backdoor in the SolarWinds software to gain access into the 15 electric, oil, gas, and manufacturing entities that were infected with the software. But Lee notes that it may not be possible to uncover such activity if the attackers did access them and burrow further into the industrial control networks, because critical infrastructure entities generally don’t do extensive logging and monitoring of their ICS networks.

“In these ICS networks, most organizations don’t have the data and visibility to actually look for the breach,” says Lee, a former critical infrastructure threat intelligence analyst for the NSA. “So they might determine if they are compromised, but … almost none of them have network logs to … determine if there is follow-on activity [in their network].”

He says all of the infected companies are “doing the necessary hunting and [are] assuming they are compromised.” But without logging to catch the initial infection months ago and track the hackers’ movements through the network if they did burrow in further, the companies have to hunt for what looks like malicious behavior. “And this is an adversary that burrows in deep and is very very hard to root out.”

If the hackers came in through the infected OEM instead, using the OEM’s credentials and privileged access, it could be even more difficult for OEM customers to spot the hackers’ activity since it would look legitimate.

Dragos notified the three OEMs that they were infected, as well as government officials and officials in President-elect Joe Biden’s incoming administration. An alert published last week by the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency noted that critical infrastructure entities were compromised by SolarWinds software, but didn’t indicate which industries were affected and didn’t note that this included managed services providers for critical infrastructure.

Potential Operations Against a “Pretty Resilient” U.S. Power Grid

It’s not the first time an OEM in the industrial control system has been hacked. In 2012 hackers believed to be from China breached an OEM called Telvent and stole engineering drawings and accessed files used to program industrial control systems. Telvent is a division of Schneider Electric that is headquartered in Spain, but its software is used in oil and gas pipelines across the U.S. and Canada and in some water control system networks. The breach raised concerns at the time that the hackers could have embedded malicious code in the software to infect customer control systems.

“When you look at industrial networks many people still believe them to be highly segmented, but that only means segmented from the” corporate enterprise network, Lee said. “While they might be segmented from the enterprise, they have a vast series of connections to OEMs and others who are connected to those networks for maintenance and other [purposes].”

The SolarWinds hacking campaign came to light earlier this month when FireEye revealed that it had been breached by hackers who took software tools the company uses to find vulnerabilities in customer systems. The company then revealed days later that the intruders had gained access to their network using a backdoor that had been implanted in network monitoring software made by the Austin-based company SolarWinds. The software is used widely across government and industry to manage and monitor networks, and SolarWinds has revealed that up to 18,000 customers could have downloaded the infected code.

Investigators in the security community have said they have seen nothing to attribute the SolarWinds campaign to a particular known hacking group or nation, but officials in the government have attributed the operation to Russia, though they haven’t indicated what has led them to this conclusion.

“It’s so many different people in the government [attributing this to Russia], you wouldn’t get this sort of statement if there wasn’t something there,” says James Lewis, a former government official who oversees cybersecurity programs at the Center for Strategic and International Studies. “[T]he forensic guys are looking at what’s left behind [on networks], and that may not be the best way to attribute something. Governments use other methods to look for attribution. So the fact that the forensic people haven’t discovered it isn’t determinative; they don’t have the full picture.”

Russia has denied responsibility for the hacking operation.

The scope of the hacking operation is still unknown, but so far reports indicate that the departments of Homeland Security, Commerce, and the Treasury; at least two national laboratories; the Federal Energy Regulatory Commission; and the National Nuclear Safety Agency, which maintains the nation’s stockpile of nuclear weapons, were all infected. Microsoft, Cisco, and Intel are among those in the tech sector that were also infected. A number of the intrusions at government agencies went beyond merely being infected by the SolarWinds malware. Sen. Ron Wyden revealed this week that the hackers were able to read and steal emails of some of the top officials at the Treasury Department.

Currently, the campaign is being characterized by security professionals and government officials as an espionage operation. But the compromise of critical infrastructure could have put the hackers in a position to do more than simply steal data, if they wanted to do so. Although there is currently no evidence this was or would have been their intention, Russia has a history of engaging in disruptive operations in critical infrastructure.

In 2015, Russia hacked several Ukrainian power distribution plants and took out power for about 230,000 customers for up to six hours in some cases, in the middle of winter. They repeated their operation again in Ukraine in 2016, taking out power to some customers for about an hour, and also struck the State Administration of Railway Transport, which manages Ukraine’s national railway system. The operations led experts to conclude that the Russians were using Ukraine as a test bed to refine hacking techniques that could be used in other countries, such as the U.S.

On Sunday, speaking on CNN’s “State of the Union,” Sen. Mitt Romney said, “What Russia has done is put in place a capacity to potentially cripple us in terms of our electricity, our power, our water, our communications.” He continued, “This is the same sort of thing one can do in a wartime setting, and so it’s extraordinarily dangerous, and it’s an outrageous affront on our sovereignty and one that’s going to have to be met with a very strong response.”

But Suzanne Spaulding, former undersecretary for the Department of Homeland Security who led the division that oversees critical infrastructure security, cautions that the intentions of the SolarWinds adversary are still unknown, and even if they breached networks in the electric, oil, and gas industries, this isn’t the same as having the ability to cause disruption or damage.

“But you can [still] get a lot of information … that can help you to plan a truly disruptive attack,” she noted. Because the hackers in the SolarWinds campaign were also able to breach FERC, this could have provided them with information on vulnerabilities and security measures in the U.S. grid that they could later leverage for an attack. She points to the 2015 Russian hack of the Ukrainian distribution plants: The hackers were in the plant networks at least six months doing reconnaissance to understand the equipment and how it worked before taking out the power in December that year.

But even an attack aimed at disrupting the U.S. electric grid would be limited in its effect, she notes.

“It’s hard to have a really impactful attack, particularly on our electric grid, which is pretty resilient,” she said. “[But] we don’t know that that’s what they’re doing.”

In the past, when Russian hackers have targeted the oil and gas industry in hacking operations, Spaulding said the U.S. government assessed that they may have just been looking for information that could make their own oil and gas industry more efficient. “So I don’t think that we can know that their objective here is reconnaissance for being in a position to potentially disrupt critical infrastructure,” Spaulding said. “I do think that we should always, for planning purposes, assume that and take measures to reduce the damage that could be done. But we can’t know that [this is their intention]. And there’s a difference between assuming that for planning purposes and for mitigation, and assuming that for a [U.S. government] response to Russia.”

Spaulding says this doesn’t mean anyone should take the SolarWinds campaign lightly.

“I don’t think this is just traditional spy vs. spy espionage. This is of a scale and scope that really is beyond traditional espionage,” she said. “Particularly because we have been told that over half the victims were not government, but were private sector. And if it’s critical infrastructure, not just defense-industrial base, that is not traditional kinds of espionage and that’s very serious.”

Lee cautions that there is no indication yet that the SolarWinds hacking campaign is anything other than espionage at the moment, but just being in critical infrastructure networks gives the adversary potential political power they might not otherwise have. “I’m thinking about president-elect Biden. The last thing I want him to have to worry about is getting into international relation discussions with Putin or others and not knowing if a foreign adversary can turn their access [in these networks] into a foreign operation on key parts of the infrastructure.”

Although other intruders have been inside the U.S. electric grid before, Lee says this is different. If Iran or China compromises industrial control systems in critical infrastructure, he said, “you assume they could [disrupt operations] but you don’t know [if they have the knowledge and ability]. But Russia has shown an ability to go beyond access to disruption. So when they get access you no longer have the question could they use it? The question is how long would it take them and would they?”