As the world watched highly skilled hackers take down power grids in Ukraine twice in two years, cybersecurity analysts reached the growing consensus that Russian hackers may be using the country as a testing ground for attacks they'll someday try on the United States. On Thursday, when news emerged that hackers have indeed been targeting American electric utilities—including a Kansas nuclear facility—it seemed possible that day had arrived. But it's worth noting there's a big difference between infecting a few energy companies' Windows machines with malware and grabbing the controls of a nuclear power plant.

The Hack

The FBI and the Department of Homeland Security have been scrambling to help multiple US energy firms and manufacturing plants fight off intrusions from hackers, according to reports Thursday evening from the New York Times and Bloomberg. Most worryingly, the targets of those attacks have included the Wolf Creek nuclear power plant near Burlington, Kansas, raising fears of an attack that could not only cause widespread electric outages but potentially disable nuclear safety systems.

But as disturbing as the words "hack" and "nuclear" appearing in the same sentence may be, it's important to step back. The severity of any industrial control system attack depends on whether hackers managed to breach not only its traditional computer systems, but also the far more obscure, less internet-connected systems that actually manipulate its physical equipment. So far it's not clear how many of the hackers' targets have been breached at all, not to mention any evidence that the attackers managed to access the targets' actual control system networks.

"These were business networks, not computer systems anywhere near the operational systems," says Robert M. Lee, the founder of the critical infrastructure cybersecurity firm Dragos, who says he had indirect knowledge of the incidents. "On the one hand it’s concerning. On the other it’s really far from anything near the industrial control systems."

Who's Affected?

The hackers have targeted at least a dozen distinct organizations, according to Bloomberg, from the Wolf Creek nuclear plant to an unnamed supplier of energy industry control systems. Security firm FireEye tells WIRED that the targets aren't limited to the US: Its researchers have seen spearphishing attempts from the same hackers against targets in Ireland and Turkey, stretching as far back as 2015, as well as "watering hole" attacks meant to infect victims with malware based on their routine visits to certain websites. Many of those attacks, according to FireEye researcher John Hultquist, have focused on electrical engineers and control system operators. "In our experience groups that have solely targeted energy like this have been carrying out reconnaissance for attack," Hultquist says.1

Who's Behind It?

Despite immediate suspicions that Russia may be laying the groundwork for Ukraine-style power grid attacks in the US, no digital fingerprints have yet tied the attacks to any specific group.

Those suspicions stem in part from recent history: Russia has likely tried to sow the seeds for power grid attacks in the US before. In 2014, the Department of Homeland Security warned that hackers had infected the networks of multiple US electric utilities with a piece of general purpose malware known as Black Energy. Cybersecurity firm FireEye tied those infections to a hacker group it called Sandworm, which it believed to be Russian based on clues like an openly accessible server tied to the group containing Russian-language documents. Sandworm would later go on to use Black Energy in intrusions against a variety of Ukrainian targets, including hacking three Ukrainian energy companies to cause the first-ever hacker-induced blackouts.

A year later, hackers attacked the Ukrainian energy firm Ukrenergo and took down about a fifth of the electric capacity of Kiev. Slovakian cybersecurity firm ESET and Lee’s company Dragos Inc. found that a piece of sophisticated malware from that attack known as “Crash Override” or “Industroyer” had been used to automatically trigger the blackout. Dragos also attributed the attack to Sandworm, raising new fears that Russia was testing a cyberweapon it might soon turn on American targets.