WASHINGTON — A new wave of cyberattacks is striking American corporations, prompting warnings from federal officials, including a vague one issued last week by the Department of Homeland Security. This time, officials say, the attackers’ aim is not espionage but sabotage, and the source seems to be somewhere in the Middle East.
The targets have primarily been energy companies, and the attacks appeared to be probes, looking for ways to seize control of their processing systems. The attacks are continuing, officials said. But two senior administration officials said Sunday that they were still not certain exactly where the attacks were coming from, or whether they were state-sponsored or the work of hackers or criminals.
“We are concerned by these intrusions, and we are trying to make sure they don’t lead to something much bigger, as they did in the Saudi case,” said one senior American official. He was referring to the aggressive attack last summer that affected 30,000 computers at Saudi Aramco, one of the world’s largest oil producers. After lengthy investigations, American officials concluded that Iran had been behind the Saudi Aramco attack.
Another official said that in the new wave of attacks, “most everything we have seen is coming from the Middle East,” but he did not say whether Iran, or another country, appeared to be the source.
Last week’s warning was unusual because most attacks against American companies — especially those coming from China — have been attempts to obtain confidential information, steal trade secrets and gain competitive advantage. By contrast, the new attacks seek to destroy data or to manipulate industrial machinery and take over or shut down the networks that deliver energy or run industrial processes.
That kind of attack is much more like the Stuxnet worm that the United States and Israel secretly used against Iran’s nuclear enrichment plants several years ago, to slow Iran’s progress toward a nuclear weapons capability. When that covert program began, President Obama, among other officials, expressed worry that its eventual discovery could prompt retaliatory attacks.
Two senior officials who have been briefed on the new intrusions say they were aimed largely at the administrative systems of about 10 major American energy firms, which they would not name. That is similar to what happened to Saudi Aramco, where a computer virus wiped data from office computers, but never succeeded in making the leap to the industrial control systems that run oil production.
The Washington Post first reported the security warning on Friday. Over the weekend the Obama administration described what had led to the warning. Those officials began describing the activity as “probes that suggest someone is looking at how to take control of these systems.”
According to one United States official, Homeland Security officials decided to release the warning once they saw how deeply intruders had managed to penetrate corporate systems, including one that deals with chemical processes. In the past, the government occasionally approached individual companies it believed were under threat. Last week’s warning “is an effort to make sure that the volume and timeliness of the information improves,” in line with a new executive order signed by the president, one senior official said.
The warning was issued by an agency called ICS-Cert, which monitors attacks on computer systems that run industrial processes. It said the government was “highly concerned about hostility against critical infrastructure organizations,” and included a link to a previous warning about Shamoon, the virus used in the Saudi Aramco attack last year. It also hinted that federal investigations were under way, referring to indications “that adversary intent extends beyond intellectual property to include use of cyber to disrupt business and control systems.”
At Saudi Aramco, the virus replaced company data on thousands of computers with an image of a burning American flag. The attack prompted the defense secretary at the time, Leon E. Panetta, to warn of an impending “cyber 9/11” if the United States did not respond more efficiently to attacks. American officials have since concluded the attack and a subsequent one at RasGas, the Qatari energy company, were the work of Iranian hackers. Israeli officials, who follow Iran closely, said in interviews this month that they thought the attacks were the work of Iran’s new “cybercorps,” organized after the cyberattacks that affected their nuclear facilities.
Saudi Aramco said that while the attackers had attempted to penetrate its oil production systems, they had failed because the company maintained a separation between employees’ administrative computers and the computers used to control and monitor production. RasGas said the attack on its computers had failed for the same reason.
But there are no clear standards for computer security, and the Homeland Security warning last week urged companies to take steps many computer professionals already advise. The suggestions were for “things most everyone should be doing on an everyday basis,” said Dan McWhorter, the managing director of threat intelligence at Mandiant Corporation. His company conducted a study this year that identified a specific unit of the Chinese Army as the source of a number of attacks on American businesses and government organizations. “These are all threats people have been seeing coming for some time,” he said.
Still, the warning underscored that most of the likely targets in the United States, including cellphone networks and electric utility grids, are in private rather than government hands. “The challenge will be managing our nation’s offensive and defensive capabilities,” said Evan D. Wolff, a partner at Hunton & Williams, who runs the firm’s homeland security practice and focuses on cyberissues. “Unlike conventional weapons, this will require a very broad engagement across the private sector.”
For the last four years, the Department of Homeland Security has said it needs to expand its cybersecurity force by as many as 600 hacking specialists to keep pace with the rising number of threats. But in the last four months, the department has been grappling with an exodus of top officials, including Jane Holl Lute, the agency’s deputy secretary; Mark Weatherford, the department’s top cybersecurity official; Michael Locatis, the assistant secretary for cybersecurity; and Richard Spires, the agency’s chief information officer, all of whom resigned.
David E. Sanger reported from Washington, and Nicole Perlroth from San Francisco. Michael S. Schmidt contributed reporting from Washington.