House Democrats want briefing on domestic terrorism at energy facilities, including malware

Several leading congressional Democrats want to hear from Biden administration officials about the potential for domestic terrorists to use cyberattacks against energy infrastructure.

The lawmakers expressed concern about recent attacks on energy infrastructure by neo-Nazi groups and racially motivated actors — as well as the possibility that such groups could deploy malware.

Homeland Security Committee ranking member Bennie Thompson (D-MS) joined Eric Swalwell (D-CA) and Seth Magaziner (D-RI) asked for the briefing from the Cybersecurity and Infrastructure Security Agency and Department of Homeland Security.

“As racially- or ethnically- motivated violent extremists embrace the use of grid disruptions for ideological means, we cannot assume they will not seek to exploit cyber vulnerabilities — particularly where the malware and tactics used to carry such an exploit are known,” they wrote in a February 17 letter addressed to CISA Director Jen Easterly and DHS Undersecretary for Intelligence and Analysis Kenneth Wainstein.

The letter connects physical attacks to the sorts of cyberthreats the U.S. energy infrastructure has typically faced with regard to incidents originating from Russia, China, Iran and North Korea.

The congressmen cited a report by cybersecurity company Dragos last week on an incident involving the malware PIPEDREAM, which is believed to be Russian, targeting critical infrastructure and coming "'the closest we've ever been' to having to take down 'around a dozen' U.S. electric and liquid natural gas sites," the representatives wrote.

“We would like to understand evolving cybersecurity threats to the energy sector, such as the PIPEDREAM malware, and how domestic extremists might seek to exploit cyber vulnerabilities for ideological purposes,” they wrote.

The lawmakers said the letter was precipitated by a bulletin from the FBI on February 8 warning of “continued interest by some racially- or ethnically- motivated violent extremists in conducting attacks against US critical infrastructure, particularly electrical infrastructure.”

Two days before, the FBI and Justice Department announced they stopped a physical attack by two neo-Nazis on five electrical substations in Baltimore — noting that they were driven by an “ideology of racially-motivated hatred.”

In 2022 alone, the Department of Energy reported 163 direct physical attacks against electrical infrastructure across the country, including an attack against two electrical substations in North Carolina that resulted in power outages affecting 45,000 homes and businesses. 

In addition to the Dragos findings about PIPEDREAM, cybersecurity firm Mandiant has tracked a strain of malware called INCONTROLLER, which similarly “contains capabilities related to disruption, sabotage, and potentially physical destruction.”

Malwarebytes and Recorded Future’s Inskit Group both released reports in 2021 that found Black communities were targeted more than other groups with malware and fraud campaigns — by nation-states and criminal groups alike.

According to the U.S. representatives calling for a hearing, both CISA and DHS have tools and resources that can be used to protect energy infrastructure from domestic extremists.

“Given the alarming rise of domestic violent extremism and in attacks against critical infrastructure generally, and the energy sector in particular, [Homeland Security] and CISA have essential roles in ensuring [local governments] are informed and prepared to prevent attacks against electrical facilities,” they explained.

CISA and DHS did not respond to requests for comment about whether they will provide the briefing. 

Get more insights with the
Recorded Future
Intelligence Cloud.
Learn more.
No previous article
No new articles
Jonathan Greig

Jonathan Greig

is a Breaking News Reporter at Recorded Future News. Jonathan has worked across the globe as a journalist since 2014. Before moving back to New York City, he worked for news outlets in South Africa, Jordan and Cambodia. He previously covered cybersecurity at ZDNet and TechRepublic.