* Hackers target energy grids, petrol-distribution
* Baltic states are locked into Russia's power network
* Baltic states on political front line of Moscow-West
* Kremlin spokesman dismisses allegations as slander
By Stephen Jewkes and Oleg Vukmanovic
MILAN/LONDON, May 11 Suspected Russia-backed
hackers have launched exploratory cyber attacks against the
energy networks of the Baltic states, sources said, raising
security concerns inside the West's main military alliance,
Lithuania, Latvia and Estonia, all members of NATO and the
European Union, are on the political front line of tensions
between the West and Moscow. The Baltics are locked into
Russia's power network but plan to synchronise their grids with
Interviews with more than a dozen law-enforcement and
private investigators, insiders and utility officials show
hackers have quietly made incursions into Baltic networks over
the past two years, in parallel with more serious attacks in
Ukraine that plunged swathes of that country into darkness.
They say Russian state organisations are suspected of being
behind the campaigns.
Reuters could not independently verify the sources'
At the end of 2015, hackers attacked an Internet gateway
used to control a Baltic electricity grid, disrupting operations
but not causing blackouts, a source familiar with the matter
said. He declined to give details due to ongoing private
investigations into the incident, which has not been previously
The attack was a distributed denial of service (DDoS), where
Internet gateways are bombarded with large amounts of data, a
blunt but sometimes effective technique in an age when energy
networks are being modernised with digital technology.
The source also said suspected Russia-backed hackers had
targeted a Baltic petrol-distribution system at around the same
time in an unsuccessful denial of service attack that aimed to
cause widespread disruption in petrol deliveries.
The system coordinates deliveries from storage tanks to a
network of petrol stations, the source added.
In a separate malware attack on another undisclosed Baltic
grid, also around end-2015, hackers targeted network
communication devices, serial-to-ethernet converters (STEC),
which link sub-stations to central control, two other sources
said. The attack did not cause service disruption, they added.
Though these three incidents date back 18 months or so,
cyber security consultants are still investigating some of them.
They say hackers can remain dormant and undetected inside
systems. In Ukraine, hackers had infiltrated the grids there for
about six months before the lights went out in December 2015,
STECs were also targeted in Ukraine by the so-called
Sandworm team, a Russia-backed group that had attacked energy
companies in Western Europe and the United States in a campaign
in 2014, several sources said.
The two sources with knowledge of the STEC attacks said they
had detected the presence of Sandworm in the Baltics, but they
did not give evidence for their suspicion. One of them said
Sandworm was still active in the Baltic states.
"It's the same kind of slander as all the other similar
accusations," Kremlin spokesman Dmitry Peskov said when asked by
Reuters about the possible hacks.
Russia has never cut power flows to the Baltic states or
threatened to do so.
The NATO sources and utility officials said the Baltic
attacks raised concerns that hackers could disable the region's
energy networks just as they had done in Ukraine, where
government troops have been battling pro-Russian separatists
The first Ukraine attack caused crippling blackouts in some
parts of the country lasting several hours.
NATO and cyber security experts believe hackers are testing
the Baltic energy networks for weaknesses, becoming familiar
with how they are controlled in order to be able to shut them
down at will.
"On a daily basis there are DDoS attacks designed to probe
network architecture, so it could well be possible that
something (serious) could take place later on," a Brussels-based
NATO official said, requesting anonymity because he was not
authorised to speak publicly on the matter.
Lithuanian grid operator Litgrid said attacks on IT systems
and the grid were constant but it had not seen DDoS attacks.
Litgrid maintains constant monitoring and runs regular tests
to detect any cyber break-ins as part of its network defences,
the utility said in an emailed statement.
Latvia's grid operator, AST, said it had not seen incidents
in the last year. Estonia's Elering said only that it had not
seen any attacks at the time of the Ukraine incursions in 2015.
A security official based in the Baltics said cyber attacks
usually increased when Russia carried out large military
exercises near its borders with the Baltic states.
Last month, NATO helped stage a cyber-security exercise in
Estonia in which hundreds of cyber experts from around the world
competed in teams to protect a fictitious military air base from
attacks on, among other things, a power grid system.
In its 2017 national security threat assessment, Lithuania
said hackers had launched large-scale DDoS attacks in April last
year against state ministries and institutions, Vilnius airport,
media and "other important Lithuanian cyber infrastructure".
"A major part of executed cyber attacks against the state
sector of Lithuania in 2016 were associated with Russian
intelligence," the report said, without giving details.
Lithuania's state-owned energy holding group, Lietuvos
Energija, said it had encountered untraceable attacks like
zero-day viruses, among others, which exploit hidden
vulnerabilities. Lietuvos's businesses include power
"We do assume that we have adversaries who want to harm us,"
said Liudas Alisauskas, information security chief at Lietuvos.
Lietuvos runs drills to prepare for cyber attacks, including
switching to manual operation of the grid, Alisauskas said.
In Ukraine, operators of older and technologically simpler
networks were able to send workers out into the field to
manually bring grids back up. This would be more difficult to
achieve in modern, digitised networks, cyber consultants said.
(Additional reporting by Andrius Sytas in VILNIUS, David
Mardiste in TALLINN and Jack Stubbs in MOSCOW; Editing by Mark
Bendeich and Andrew Roche)