FireEye calls the Russia-linked hacking group that has been targeting the US grid “TEMP.Isotope.” It’s also known as Dragonfly 2.0, or Energetic Bear. The group mostly uses generic hacking tools and techniques created by other actors—a strategy known as “living off the land”—to minimize development time and costs, while also making it harder to identify and track its movements. But TEMP.Isotope has also created at least one custom system backdoor, and often uses spearphishing and infected websites to compromise targets. And the group has brought these tools to bear against the US grid in a patient and methodical way.
US infrastructure does have some advantages here. In the wake of the massive 2003 Northeastern blackout, utilities implemented resilience and defense standards known as the North American Electric Reliability Corporation Critical Infrastructure Protection requirements, more digestibly referred to as NERC CIP. These created minimum baselines for defending against and dealing with natural disasters, but also promoted best practices for network defense, including two-factor authentication, network segmentation, data storage protections, and strict access controls for both network owners and third-parties.
All of these protections combined have hardened electricity generation and transmission systems against attack. But not all segments of the grid are held to those standards.