Hackers linked to North Korea targeted U.S. ICS companies, breached energy firm

Multiple sources tell CyberScoop that the report details an energy company that was breached by what is thought to be North Korea-linked hackers.
(Flickr / SilverStack / CC - BY - 2.0)

Hackers possibly linked to North Korea were able to successfully gain access to the corporate network of at least one U.S.-based energy company in recent months, according to multiple sources with knowledge of a recent cyber threat intelligence report on the matter.

Six sources tell CyberScoop the report notes that hackers were found actively targeting a handful of U.S. companies that rely on industrial control systems. Less than 10 companies were targeted with phishing emails as part of this apparent information gathering campaign — including one known breach — leading analysts to believe the effort is targeted and well-organized, a person with knowledge of the malicious cyber activity said.

The activity was originally identified by at least two different private cybersecurity companies. The Department of Homeland Security’s Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) is aware of the activity and in recent weeks shared information with some partners.

NBC News obtained a copy of the report, which the news organization published details of on Tuesday evening. The report was written by FireEye. It describes relevant digital evidence about the targeting of U.S. energy companies, but did not go so far as to directly attribute the effort to North Korea. The FireEye report does not mention a breach. Evidence of a data breach was separately obtained by CyberScoop.


Attribution is tied to a number of factors, including the discovery of shared tactics, tools and other activity that could be tied to a known threat group. All available evidence points to an advanced persistent threat associated with North Korea, however, it’s unclear whether Pyongyang is truly responsible or if another group may be mimicking their hacking techniques to confuse investigators.

The Department of Homeland Security did not respond to a request for comment.

People with knowledge of the reports and related activity spoke to CyberScoop on condition of anonymity to discuss sensitive information about a pertinent threat to U.S. critical infrastructure. Those sources say the incident highlights the increasing risk of a potential cyberattack of significant consequence against private energy companies who are responsible for operating critical infrastructure.

Based on information provided to CyberScoop, the hackers were able to break into a private business network belonging to a U.S. energy company, but they did not infect computers with malware designed to physically influence hardware. These compromised computers were disconnected from the firm’s industrial control systems — typically used in manufacturing plants or throughout the electrical grid to serve power to customers.

The hacking operation was likely only focused on reconnaissance and to gain a preliminary foothold inside a shortlist of important American critical infrastructure companies. The Homeland Security Department designates 16 different industries as “critical infrastructure,” including the energy, manufacturing, communications and nuclear sectors.


Analysts stressed that this incident should not be categorized as a destructive or disruptive attack due to the lack of evidence that proves hackers had, or necessarily planned, to immediately damage hardware. They say the evidence instead sheds light on a broader issue: that of escalating geopolitical tension between the U.S., Iran, Russia and North Korea, which is simultaneously playing out in cyberspace as well as in the real world.

Nation-state backed hackers, believed to be tied to Russia and Iran, have been known to break into the corporate business networks of energy companies so that they can move laterally through IT systems to eventually impact industrial equipment. North Korea, however, is not widely known to engage in this practice or have the capability to execute a blackout.

The Office of the Director of National Intelligence did not respond to a request for comment.

Latest Podcasts