Throwback attack: Russia breaches Wolf Creek Nuclear Power facility

Courtesy: Brett Sayles

The threat of the Russian invasion of the Ukraine has been at the forefront after years of tension between the two and months of clear warnings. As of today, explosions erupted and President Vladimir V. Putin of Russia declared the start of a military operation to “demilitarize” Ukraine.

Tension between the Russian Federation and Ukraine isn’t new. The Russo-Ukrainian war is an ongoing conflict that began in February 2014 due to the status of Crimea and parts of Donbas. Around the same time, there was a BlackEnergy malware attack on the Ukrainian power grid attributed to a Russian hacking group in retaliation to a physical attack on substations from pro-Ukrainian activists, all stemming from the fallout of Russia annexing Crimea.

While it has recently escalated further to Russia launching a military invasion on Ukraine, the former Soviet republic has not been Russia’s only target. Russian threat actors have been busy in the cybersecurity landscape causing damage around the world. An instance close to home is the SolarWinds cyberattack that affected thousands of networks and systems in every major sector in the U.S. government and military.

Russian cyberattacks on the U.S. have been in the news for decades, starting in 1996 with the Moonlight Maze attacks and have progressed throughout the years leading up to the SolarWinds attack and more. The lack of qualified cybersecurity for U.S. critical infrastructure has continued to be a main concern, especially after the escalation of recent attacks in 2021, such as attacks on the Kemuri Water Company and Colonial Pipeline. Even in 2017, eyes were opening to how much America’s cybersecurity needed to keep evolving due to the attack against Wolf Creek Nuclear Operating Corp.

Wolf Creek

In May of 2017, multiple U.S. nuclear power generation sites had been breached, and experts at the time weren’t sure if they were linked to the global cyberattack, Petya. One attack was on the Wolf Creek Nuclear facility, located in Burlington, Kan. In this instance, the attack was contained to the business side of the plant, and the critical infrastructure was not affected. However, because the network had been infiltrated, the nuclear systems had become more vulnerable. This campaign was the first time U.S. nuclear power companies had been hacked.

According to a Business Insider article, “If a nuclear power facility is attacked on the business side, that might actually serve as a way of information-gathering” for hackers, said Paulo Shakarian, founder of the cybersecurity firm CYR3CON.

In some cases, hackers will try to “see if, by reaching that system, they can get more insight into what the facility is using on the operational side,” Shakarian said. Gathering information, such as emails, design plans, information about security assessments and passwords from the business side can often lead to further attacks on the other side, which would be far more serious.

The Wolf Creek plant was built in 1977 before most systems were digital, which means it runs on an analog system that cannot be remotely hacked. Wolf Creek started running in 1985 and creates power for 800,00 homes. It is owned by Kansas City Power and Light Co., Westar Energy and Kansas Electric Power Cooperative.

These attacks were especially worrisome in light of the cyberattacks against Ukraine’s power grid. The Department of Homeland Security (DHS) and FBI released a joint report that contained an urgent amber warning, which is the second-highest rating for the sensitivity of the threat. The hackers appeared determined to map out computer networks for potential future attacks, according to a New York Times article.

The hackers’ techniques mimicked Energetic Bear, a Russian hacking group that’s been attacking the U.S. energy sector since 2012. Senior industrial control engineers were targeted with emails with fake resumes for control engineering jobs, which really contained malicious code. Once the resumes were opened, the attackers stole the engineers’ credentials and were able to access other systems on the network.

The attack on Wolf Creek was wasn’t officially attributed to Russia until 2018 according to a Cybersecurity and Infrastructure Security Agency (CISA) alert on March 15 of that year.


President Joseph R. Biden has imposed economic sanctions against Moscow and said at a press conference, “Putin chose this war, and now he and his country will bear the consequences.” The consequences of these sanctions and further action against Russia are bound to come as this situation unfolds.

However, cybersecurity experts have been saying for years Russia does have the potential to cause severe damage through cyberattacks. For example, The New York Times reported in 2018 that cybersecurity experts saw the attacks were in preparation for Russia to disrupt the United States’ critical facilities “in the event of a conflict.”

Russia has had years to position itself in a place of power in the cyber landscape. Only time will tell what they will do with it.




Keep your finger on the pulse of top industry news