Truth, Inspiration, Hope.

Critical US Power Grid Hardware Wide Open With Backdoors, Warns CISA

Neil Campbell
Neil lives in Canada and writes about society and politics.
Published: April 23, 2022
CISA warns critical US power grid equipment that can serve as a kill switch may be wide open to foreign government APT hackers.
The "Sandow Switch" that once was used by the Alcoa coal power plant now provides electricity for the Whinstone U.S. Bitcoin mining facility in Rockdale, Texas, on October 9, 2021. On April 13, CISA warned that critical U.S. power grid hardware has open vulnerabilities being targeted by APT groups, which are often foreign government hacking teams. (Image: MARK FELIX/AFP /AFP via Getty Images)

The United States Government’s Cybersecurity and Infrastructure Security Agency (CISA) has warned that critical hardware devices utilized in the U.S. power grid and produced by a trio of major manufacturers are sitting ducks for Advanced Persistent Threat (APT) groups.

Critical hardware

In an April 13 Cybersecurity Advisory (CSA) issued in conjunction with the DOE, FBI, and NSA, CISA stated that APTs “have exhibited the capability to gain full system access” to Industrial Control System (ICS) and Supervisory Control and Data Acquisition (SCADA) devices. 

In specific, Programmable Logic Controllers (PLC) made by Schneider Electric and OMRON, in addition to Open Platform Communications Unified Architecture servers, are vulnerable.

The following specific device models are affected, according to the CSA:

  • Schneider Electric MODICON and MODICON Nano PLCs
    • TM251, TM241, M258, M238, LMC058, and LMC078
  • OMRON Sysmac NJ and NX PLCs
    • NEX NX1P2, NX-SL3300, NX-ECC203, NJ501-1300, S8VK, and R88D-1SN10F-ECT
  • All OPC Unified Architecture (OPC UA) servers

Operational technology

The CSA explains that custom-made tools discovered by federal cybersecurity defense agencies being employed by APT groups have functionality to “scan for, compromise, and control affected devices” after an operational technology (OT) network has been successfully breached.

The OT attack vector is of acute concern and stands in contrast to the more familiar attack vectors such as breached email software servers, such as Microsoft Exchange.


A Feb. 7 article by Red Hat defines OT as “the practice of using hardware and software to control industrial equipment, and it primarily interacts with the physical world.”

“OT environments supervise physical processes such as manufacturing, energy, medicine, building management, and other industries,” adds Red Hat.

Notably, CISA also warned that crucial hardware infrastructure can be breached by way of exploiting Windows-based workstations being used on site if the devices are equipped with a particular kind of ASRock motherboard utilizing a driver with a known vulnerability.

Modular attack vector

CISA explains that the exploit suite being employed by APTs features a modular architecture, emulating the command interface of the targeted infrastructure controllers, a notable approach which enables assaults “by lower-skilled cyber actors to emulate higher-skilled actor capabilities.”

The modular attack vector allows attackers to “scan for targeted devices, conduct reconnaissance on device details, upload malicious configuration/code to the targeted device, back up or restore device contents, and modify device parameters.”

A recent analog

In May of 2021, Colonial Pipeline Co., the U.S.’s largest oil pipeline, was notably hit with a ransomware attack by the low-level hacking group Darkside. 

At the time, Colonial provided more than 50 percent of the U.S. East coast with more than 2.5 million barrels per day of jet fuel, diesel, and gasoline transported from the Gulf coast.

After breaching Colonial’s systems, Darkside stole more than 100 gigabytes of data before locking the company out of all of its systems, demanding a heavy ransom paid in cryptocurrency.


Although Colonial publicly stated it had no intention of paying the ransom, it in fact, paid Darkside 75 BTC in exchange for a tool to remove the group’s locks from its systems.

However, the software provided was so slow and cumbersome that Colonial found it faster to restore its network from its own backup instead.

Because of carelessness by the individuals behind Darkside, the DOJ was able to recover 64 BTC after it was transferred to an address that the FBI stated was “in the possession of the FBI in the Northern District of California,” which may very likely have been the wallet of a major cryptocurrency exchange serving as a fiat offramp and subsequently seized by federal law enforcement.

However, while Colonial paid a staggering $57,300 per BTC at the time of the transaction, nearly an at-the-time all-time high, by the time the coins were recovered, the price had fallen to $34,000 after the Chinese Communist Party (CCP) implemented a string of political measures against miners, which are heavily centralized in the hands of mainland Chinese-located entities and mainland Chinese-controlled entities.

Relation to the power grid

A January of 2019 article by Informaconnect, a UK-based analytics firm touting 8 million global clients, among which are multiple Fortune 500 companies, shed light on an already existing battle between energy companies and cybersecurity firms on one side, and on the other lies “civilian hackers or organised criminals, motivated by profit” in addition to “state actors or terrorists.”

Informaconnect pointed out that the infamous 2010 Stuxnet worm that crippled Iran’s nuclear program “was the first of a new breed of malware developed with an understanding of the vulnerabilities of Industrial Control Systems (ICSs).”

The article elucidated the relevance to the rest of the world when it stated, “Where a criminal attack might consist of ransomware designed to restrict access to valuable data, ICS-tailored malware are intended specifically for use on physical targets like substations, petrochemical facilities or power plants.”

“They are also much more likely to be tools of a foreign state than a civilian actor,” added the firm.

Additionally, prominent think tank Council on Foreign Relations (CFR) stated in a May of 2021 backgrounder article examining how the U.S. power grid is structured and operates, that “the growing reliance of the grid on digital systems increases the possibility of cyberattacks.”

“Since the 1970s, grid operators have relied on electronic industrial control (IC) centers that are generally unsecured against malware such as the Stuxnet virus, which targeted Iranian nuclear facilities in 2010,” the CFR added.


Of particular note, Informaconnect cited that the two most significant electric grid attacks targeting power grid ICS equipment at the time had occurred in no less than Ukraine.

The first, in December of 2018, took down 30 substations and left almost a quarter of a million citizens without power.

“It is believed that the hackers responsible for the attack would have spent months in preparation, studying the various systems used to regulate the Ukrainian power network,” stated the article.


The second, occurring in 2016, “Took a fifth of Kiev’s power grid offline for approximately an hour.”

“For power grid operators outside of Ukraine, the most concerning aspect of the attack” was that the specific exploit demonstrated “evidence of having been designed for use against other countries’ electrical grids,” the company added.

APTs and state actors

Tech industry leader Cisco states on its website that, “The intention of an APT is to exfiltrate or steal data rather than cause a network outage, denial of service or infect systems with malware.”

While Cisco states that APTs usually employ “social engineering tactics” either during or for the purpose of exploiting software vulnerabilities, “Numerous entities–large and small, public sector and private–can benefit from a successful advanced persistent threat.”

Notably, the firm also cited the Stuxnet worm as it further stated, “Many suspect that governments and nation states have used APT attacks to disrupt specific military or intelligence operations.”

Relevantly, in March of 2021, the CCP-sponsored hacking team HAFNIUM had been wreaking havoc with zero-day exploits against Microsoft Exchange email servers, utilizing rented U.S.-based collocated web servers to laundering mechanism. 

But the HAFNIUM instance was not the most pointed.

Just a month earlier, Check Point Research (CPR) published a thorough and compelling examination of how a second CCP-sponsored team, designated as “APT 31 [Zirconium],” had somehow managed to replicate a set of nation-grade zero-day exploits called “EpMe” utilized by the NSA’s world-leading Equation Team, creating their own version dubbed “Jian.”

Notably, while CPR found concrete evidence that APT 31 had generated Jian as early as 2014 while the vulnerabilities it targeted in critical software infrastructure were not patched until as late as 2017, APT 31 appeared to utilize the suite clumsily and was clearly confused as to how the NSA’s tools actually worked. 

As a result, the example called into question how APT 31 had the ability to obtain the nation grade exploits from the NSA in the first place if the CCP’s best and brightest were unable to even understand how to utilize their American competitors’ nation-grade tools.

CPR cautioned, “There is a theory which states that if anyone will ever manage to steal and use nation-grade cyber tools, any network would become untrusted, and the world would become a very dangerous place to live in.”

“There is another theory which states that this has already happened,” they opined.

Real American consequences

The most acuminate demonstration of the risk of power grid failure occurred in Texas during a highly anomalous February of 2021 winter storm that saw a severe cold front roll over the region from the normally-warm Gulf of Mexico

The storm was attributed to movements generated from particularly curious changes to the polar vortex attributed to atmospheric heating

As temperatures fell below freezing into the low teens Fahrenheit, more than 5 million people through Texas and North Dakota were plunged into darkness as state power engineers struggled to mitigate a power grid collapse as the majority of Texas’s natural gas wellheads, unequipped to handle freezing temperatures, froze shut.

Additionally, wind turbines were also rendered inoperational during the weather. Combined, the state lost 34 gigawatts of power generation at the same time as demand skyrocketed amid residents of a normally hot climate being unprepared to endure days of freezing temperatures.

According to Jan. 1, 2022 reporting by The Texas Tribune, the disaster was one of the worst in state history, claiming 246 lives, citing the Department of State Health Services (DSHS) as attributing two thirds of the death to hypothermia. 

“In addition to hypothermia, DSHS attributed the storm-related deaths to ‘exacerbation of pre-existing illness’ (10%), motor vehicle accidents (9%), carbon monoxide poisoning (8%), fires (4%) and falls (4%),” states the article.

Not only did the storm exact a tremendous toll on human life, but during the crisis the Electric Reliability Council of Texas began charging as much as $9,000 per megawatt-hour for electricity, bankrupting multiple companies and leaving some residents holding the bag with five figure utility bills.