While physical attacks might result in clear infrastructure damage, one of the dangers behind cyberattacks lies in how they can be hidden from their targets.
One utility serving a small Midwestern community learned this firsthand a few years back.
The utility’s ordeal began when its finance officer’s email account was accessed without their awareness. Rather than taking immediate action, the attacker used this email breach to learn the utility’s invoicing patterns, including where the largest bills come from and at what intervals. Once the attacker had gathered insights from reviewing the finance officer’s emails, they began executing an impersonation and theft scheme.
Having become familiar with the timing of the utility’s largest regular payment, made to its joint action agency, the attacker intercepted the email with the invoice. Then, using a fake email address that nearly replicated the JAA’s (only one letter difference — an added “s”), the attacker sent a notice that the agency’s bank account details had changed. The content of the email itself was tailored to look like prior messages from the JAA, creating an impression of authenticity.
“We have a good relationship with the joint action agency, so when they requested a change, it didn’t seem out of the ordinary,” the utility’s director said.
Because the attacker had access to the utility’s email, they changed a setting so that any legitimate emails from the JAA went into a hidden folder. Then, using the finance officer’s email, the attacker replied to the JAA invoice email with a general statement apologizing that the payment would be late.
The same process happened the next month. In the third month, the attacker sent another email from the fake JAA address noting yet another bank account change.
“That should have been a huge red flag,” said the utility director. But the attacker had been pulling in real information from past threads, including the signature from the usual invoice sender.
As the third payment was in process, the utility director got a text from the JAA’s CFO saying the JAA hadn’t received the last three payments, but also that he couldn’t talk because he was attending a board meeting. The utility director thought the text was a scam, as the request was suspiciously worded and sent at the end of the day.
The next day, the utility director and finance officer looked into the payments and called the JAA to confirm whether the payments had actually been received. That’s when the utility realized what was happening.
Fortunately, the utility team was able to stop the third payment. But the first two payments — totaling over $350,000 — had been cleared out by the attacker.
The utility’s IT support found multiple suspicious logins to the finance officer’s email account, and a federal investigation began.
“It’s still a mystery of how they were able to get into the email in the first place,” said the utility director. The investigation didn’t find any actions on the finance officer’s part that would have triggered the breach.
Investigators from the Department of Homeland Security believe the attacker exploited a loophole in using text for multifactor authentication. Now, in addition to changing passwords, the utility uses an app for multifactor authentication and a password manager. Staff are told not to save credentials in browsers, spreadsheets, etc., and to use unique, complicated passwords.
The attacker succeeded by exploiting not only the long-standing, trusting relationship between the various organizations involved but also human nature. The attacker's bank flagged the first payment but hadn’t reached out even though it thought the payment was suspicious. The JAA only attempted to contact the utility through email.
“If either of us would have picked up the phone and just called,” reflected the utility director, then the attack would have been caught earlier.
The utility director had been in the position for less than two years when the attack occurred and had assembled a to-do list for establishing more rigorous cybersecurity. The list included installing watchdog software, which looks for activity like suspicious logins from out of state.
“I was trying to be proactive, but I wasn’t fast enough,” he said. “I wondered about cost efficacy. I had been more worried about budget dollars than the what ifs.”
He advised other utility leaders not to get into the mentality of “it’s not going to happen here.”
“Eliminate the notion. Yes, it can happen to you. [Small towns] are probably more targeted because [attackers] know you don’t have as many full-time staff, you are more resource stretched, so it might be seen as easier than going against the giants that have an IT team.”
The utility also updated its payment verification process to align with insurance coverage standards, which include requiring a phone call to confirm details for any wire transactions and having multiple people review larger payments.
The utility worked with a nearby university on assessing its system, such as evaluating the strength of its firewalls, and to train its staff on the latest security practices. The utility director recommended that utilities regularly perform assessments and penetration testing to catch potential vulnerabilities.
“Prioritize it. Take the recommendations, make upgrades, and then just stay in touch with your IT and those programs that offer those types of services. Things change year to year. Even if you’ve done it, don’t wait five years to do it again. It needs to be an annual thing.”
Assessments can include everything from analyzing a utility’s infrastructure to its website, programs, computer protocols, and password policies.
Meanwhile, the attack continues to take a toll on the utility and its handful of staff.
On top of the extensive documentation requested by state and federal agencies involved in the ongoing investigation, the utility has also had a lot of back-and-forth with its insurance company while trying to recover some of the financial loss.
The utility director advised other public power leaders to “track and save everything,” and to carefully review insurance policies to know what is and isn’t covered, and how the coverage might be interpreted in different scenarios.
While some security measures might involve minor inconveniences for employees, such as using a password manager, the utility director said they are well worth the cost: “I’d rather be inconvenienced for 10 seconds than go through this again.”
