How (and why) cyber specialists hacked a North American utility’s smart meter

Big hacks like the 2015 Ukraine power outage and the 2017 shutdown of a Saudi petrochemical plant still inspire red teams today.
Mandiant's cybersecurity researchers said a malicious attacker in a similar situation could have shut down more smart meters (Getty Images)

The hackers behind some of the most impactful intrusions of industrial organizations in the last five years have meticulously searched for ways to move from facilities’ IT networks to the more sensitive computers that interact with machinery. 

Before alleged Russian hackers cut power in Ukraine in 2015, for example, they spent many months mapping out utility computer networks and gathering grid workers’ credentials. And the hackers that triggered the 2017 shutdown of a Saudi petrochemical plant with the so-called Triton malware are known for using dozens of different tools to maintain access to IT and industrial networks.

As state-sponsored hackers continue to probe U.S. infrastructure, cybersecurity experts regularly emulate those landmark attacks today to break into their clients’ networks in order to protect them. The latest example comes from Mandiant, FireEye’s incident response unit, which this week publicized the techniques it used to infiltrate a North American utility’s industrial control systems and turn off one of its smart meters.

With that level of access, an attacker in a similar position could have disconnected multiple smart meters at the same time, Mandiant researchers told CyberScoop. The researchers declined to share further information on the client, but said the utility was in charge of a “state-wide smart grid environment.”


Adequately preparing for advanced hacking operations takes some creativity. By going public with the details of their exercise, Mandiant researchers might inspire other security experts devising their own “red-team” tests, or those that mimic an adversary, for industrial facilities.

Like the incident at the Saudi plant, the Mandiant researchers said, their hack of the North American utility started with a breach of the external-facing IT network and was followed by a “targeted attack chain to achieve a specific high-risk objective in the [operational technology] environment.” They also scouted high-level employees of the utility in charge of administering firewalls and smart metering operations, just as a state-sponsored adversary might.

After accessing the utility’s corporate network, the Mandiant researchers used publicly available hacking tools, such as Mimikatz, to gain greater privileges on the network. They eventually used a computer server that managed software patches to stealthily move between the utility’s IT network and the more sensitive operational technology network that contains industrial control systems.

The exercise culminated in the Mandiant specialists stealing login credentials for a “human machine interface” portal and issuing a command to disconnect the smart meter.

The disclosure of the smart meter hack comes as U.S. utilities continue to learn from the alleged Russian espionage campaign that exploited software made by federal contractor SolarWinds. While that spying effort did not appear to target the electric sector, hundreds of utilities downloaded the malicious software that the Russians used as a beachhead into networks. It’s the kind of elaborate supply-chain compromise that the North American grid regulator had utilities drill for in 2019.


While industry experts consider the hacks in Ukraine and Saudi Arabia to be advanced pieces of industrial sabotage, red-teaming exercises can help demystify the attacks and remind organizations that those capabilities aren’t as rare as they might think.

The Saudi petrochemical plant, for example, “had some significant security weakness,” said Julian Gutmanis, an industrial cybersecurity specialist who responded to the incident. “A red team likely would have been able to get in pretty easily.”

Sean Lyngaas

Written by Sean Lyngaas

Sean Lyngaas is CyberScoop’s Senior Reporter covering the Department of Homeland Security and Congress. He was previously a freelance journalist in West Africa, where he covered everything from a presidential election in Ghana to military mutinies in Ivory Coast for The New York Times. Lyngaas’ reporting also has appeared in The Washington Post, The Economist and the BBC, among other outlets. His investigation of cybersecurity issues in the nuclear sector, backed by a grant from the Pulitzer Center on Crisis Reporting, won plaudits from industrial security experts. He was previously a reporter with Federal Computer Week and, before that, with Smart Grid Today. Sean earned a B.A. in public policy from Duke University and an M.A. in International Relations from The Fletcher School of Law and Diplomacy at Tufts University.

Latest Podcasts