Chevron icon It indicates an expandable section or menu, or sometimes previous / next navigation options. HOMEPAGE

We watched a team of hackers 'fully compromise' a power company in less than 24 hours

hacker looking through desk
Jeremiah Talamantes, president of Red Team Security, searches through a desk for passwords and other information during a security test on a company. Paul Szoldra/Tech Insider

Standing outside the main office of a power company in the Midwest, a hacker known as metrofader pulls an employee's electronic badge out of his pocket and waves it at an outside sensor. The door unlocks, even though it’s a fake card made with data stolen earlier that day.

Advertisement

Once inside the building, which oversees various sites delivering power to around 50,000 customers, no alarms sound or security guards appear. Cameras silently watch the hacker as he heads toward a room where the servers are located, aka the "treasure room," intent on taking over as many of the company's systems as he can.

Metrofader shuffles through the desk of an information technology (IT) employee. He moves under the desk, looking for a suitable place to install custom hardware that will call back to him later over the internet. He then unlocks an iPad to look through a few confidential emails before moving on to a stack of notes on the desk. 

"I've got a root password here," he says, holding a sticky note with the word root and a weak, five character password. He's just uncovered the crown jewel: A top administrator password that likely gives him unrestricted access to just about any computer on the network.

Though he'll need to dig a little deeper to figure out how much he can do, it's likely his find could result in the theft of proprietary information on the company, leaks of private customer details like SSNs, or even access to critical systems that could take electricity offline.

Advertisement

"I suspect that we can probably affect the grid," he tells me later.

Perhaps months or years from now, the company might release a statement about a major data breach, saying that "impacted customers are currently being notified." Sorry, we were hacked, and we apologize for the inconvenience.

But not this time.

Fortunately, this is only a test. Metrofader's real name is Jeremiah Talamantes. He's the founder and president of RedTeam Security, and he's one of the good guys.

Advertisement

Hacking the power grid for good

hacker phishing emails
Matt Grandy, security consultant with RedTeam Security, runs various commands on a system he is testing. Paul Szoldra/Tech Insider

Talamantes is among a subset of hackers who call themselves white hats. In opposition to black hats, Talamantes and his team work with companies to identify security holes before the bad guys find them and potentially cause serious damage.

"They think we're sellouts," says Talamantes, of what black hat hackers say of him and his team of ethical hackers. There's not a lot of love for RedTeam and other cybersecurity firms among hackers who go the illegal route, especially when they know a pro could be the reason they get blocked from a network or, worse, end up in jail.

hacker tools
Skye Gould/Tech Insider

Weeks prior to our break-in at the power company, Talamantes negotiated a contract with the firm for a full "red team engagement" to test both physical and virtual security at eight different locations. 

Only a handful of employees would have any idea this was happening, and the business of the company — which did not wish to be named given the sensitive nature of the test — would continue as normal. The end result would be a detailed report from RedTeam Security outlining various areas needing improvement.

Advertisement

RedTeam operates similar to a small military unit: Each team member brings different skill sets, and the team is smart and agile, easily adapting when situations change. After we meet and each team member talks about their specialty, I joke that they're like a "Hacker version of the A-Team," referencing the 1980s-era TV series about ex-Special Forces commandos who can solve a problem "if no one else can help."

But unlike the action-packed show filled with explosions and gunfire, RedTeam tackles the problem of security in cyberspace. It's become an increasingly dangerous place where criminals can initiate attacks on hospitals, militaries can affect outcomes on the battlefield, and nation-states can launch attacks that cut electricity to hundreds of thousands of homes.

The founder and president, Talamantes, has been hacking since the early 1990s when he took on metrofader as his nom de guerre. With a wide-range of skills and an alphabet soup of computer certifications, the 42-year-old is just as experienced with talking his way past security as he is at scanning networks and picking physical locks.

Then there's his deputy, Ryan Manship, 35, who serves as the firm's security practice director. Just as skilled with hacking in his own right, Manship's most noticeable talent is in social engineering.

Advertisement

Social engineering is a term hackers use to describe in-person contacts or phone calls where they smooth-talk information out of unsuspecting victims, which can mean anything from names of company executives to user names and passwords.

 

Ryan Manship and Kurt Muhl
Ryan Manship (left) and Kurt Muhl, hacking from their hotel. Paul Szoldra/Tech Insider

Manship runs much of the day-to-day operations of the small ethical hacker outfit, also consisting of Matt Grandy and Kurt Muhl, both 26, who bring programming skills and a knack for finding security holes in software. The firm's newest recruit is Steve Kaun, a 26-year-old former soldier with a deployment to Iraq under his belt who likes to find creative ways to beat physical barriers, whether fences or infrared sensors.

"Who doesn't like to act like the bad guys without fear of retribution?" Muhl says.

If all goes to plan, this team of ethical hackers-for-hire could be what protects this company from a future, real-world hack. But as I soon find, the company they are testing has a long way to go.

Advertisement

From reconnaissance to 'fully compromised'

RedTeam's engagement starts with reconnaissance of the various sites, which the team hopes will reveal entry points not easily found by looking at satellite imagery.

Though hacking can and is often done solely over the internet, a surprising number of actions are better done offline — such as photographing vulnerable locations or installing hardware on a targeted machine.

And that's where we start: Slowly driving by unmanned electrical substations taking photo and video for later review.

At one, it's apparent that there is no security camera, so Muhl drives right up to the fence line and hops out. Walking around, Muhl and Kaun talk over the various ways they can get in, which include simply hopping the fence or picking one of the locks, many of which can be easily opened in seconds.

Advertisement

Their target is a small hut in the corner of the fence that houses network equipment, where they plan to install a mini-computer that likely won't be noticed by the few technicians that sometimes visit the remote site. But that will come later, under the cover of darkness.

After others on the team scope out another substation a few miles away, RedTeam regroups for recon of one of the company's offices. It only takes a few minutes of driving by and peering out car windows for the team to settle on how they'll approach at night. But first, they’ll see if they can get in through nothing more than social engineering.

Walking in the front door

Though the substations are valuable targets for hackers, the real prize is the server room inside the office. If RedTeam can gain access to it, it would likely have access to the company's entire network.

Manship convinces me to tag along with him on this mission where we'll pretend to be technicians with the local internet service provider. We're both dressed in work pants and a collared shirt, while Manship carries a clipboard and has various tools on his belt. As we drive to the office, the thought of us being caught starts to freak me out.

Advertisement

"Don't worry about it," Manship says. Just act cool and follow my lead, he explains, and it'll be fine. The back story he's given me is that it's my first day on the job, so I wouldn't really know much anyway.

After we pull in and park, Manship helps me turn on the hidden camera and microphone, and then we walk right through the front door.

Ryan Manship with hidden camera
Manship showing off the bag I'll be carrying during the social engineering test. Inside is a hidden camera and audio recording equipment. Paul Szoldra/Tech Insider

"Hi, we're here from [the ISP]," Manship tells the woman sitting at the front desk. "We spoke with Janet*, we're here to check on some speed issues and some other stuff with the Internet."

The woman accepts the story without further question, prompting us to sign into the visitor log.

Advertisement

"I just need to call to get someone up here for you," she says, explaining that we'll need an escort to the server room. I notice that she doesn't ask for ID or any paperwork, which I'm fully aware that we don't have.

Pushing to get in the door sooner, Manship picks up visitor badges and tells her, "it should only be a few minutes. We've been here before."

We make small talk, and the secretary is clearly uncomfortable with making us stand in the lobby. She apologizes profusely and mentions "new security rules" while nervously trying to reach someone in IT to escort us. Manship sighs and acts inconvenienced, hoping to tap the secretary's natural human inclination to help and let him in.

Another woman appears and asks the secretary, "What if I just go with them?"

Advertisement

It seems we're almost in, but then the woman who offered to escort us finds a supervisor who comes to the lobby. He's more skeptical and asks for ID, which Manship says he forgot in the truck.

The supervisor gets an IT manager on the phone and then hands it to Manship. The IT manager is, in fact, the guy who hired RedTeam in the first place, but we don't want to let that on.

Speaking into the handset as employees in the lobby listen, Manship says, "Ok, so then we'll just reschedule then?" His company contact agrees, and he hangs up a few moments later. He just wants us to come back another time, Manship tells the secretary. She apologizes for not being able to let us in.

We walk out the door, failing in our goal of getting access to the server room. Still, Manship is satisfied with how close we came. Had the supervisor not shown up, he's sure that a few more seconds of his smooth talking would've gotten us in. And he also knows we'll be back soon to try a more traditional approach: Covert entry.

Advertisement
red team security
Chris Snyder/Tech Insider

A few hours later, the normally bustling and bright office is now dark and unoccupied. It's a perfect time for the rest of the team to return, wearing all black clothing and armed with tools for circumventing locked doors. Though he was deterred earlier that morning, Manship opens an outside door with a simple tool that costs less than $20

"That was easy," Manship says, getting in after about 10 seconds.

Now inside and given free reign, the team searches in the usual places where people hide passwords, such as underneath keyboards and inside desk drawers. Muhl uses a "rubber ducky" to install malicious software that will take over an unlocked computer. While it looks like a USB memory stick, the $40 device is actually a mini computer that tricks a machine into thinking it's a keyboard, automatically installing whatever is loaded onto it.

Outside the locked server room, Manship pushes a thin piece of metal under the door. With a hook attached to the other side, the tool grabs onto the latch from the inside as he applies pressure with his head. After a few tries, he opens the door and gives his fellow hackers full access to the "treasure room." Once inside, they are able to install hardware that will intercept traffic on the network and rifle through a filing cabinet loaded with confidential papers.

Advertisement

Between breaking into the office and gaining entry to two substations, the hackers have achieved what they call persistent access, meaning they can connect to the network whenever they want. Later that evening, Grandy will work through the night from the hotel to crack at least three administrator passwords.

"We can then create more admin users, so they can't kick us out of their network," Muhl says. "At that point, they are fully compromised, and there's nothing they can do about it."

I take a look at the time. It's been less than 24 hours since they began testing.

Muhl and Talamantes inside the server room
Muhl and Talamantes survey what's inside the server room. Paul Szoldra/Tech Insider

'You can send one command to turn off people's power'

The test is far from over, even though RedTeam has pretty much unfettered access to the company it was targeting. At this point, a black hat hacker might be satisfied, but there are more sites to test.

Advertisement

Over the remaining days, RedTeam follows the pattern it established on day one. They scope out each site with cameras — and in one instance, a drone — or use social engineering tactics to gain inside intelligence, and then enter at night without anyone knowing.

They find many shocking security lapses, including doors that aren't even locked and far too many sticky notes with passwords written on them.

Matt Grandy installing plugbot
Matt Grandy, security consultant with RedTeam Security, attempting to install a "PlugBot" underneath a desk in one of the offices. Paul Szoldra/Tech Insider

"Network administrators and C-level executives generally have the weakest passwords," says Talamantes, stressing the point that the people with higher levels of access should have the strongest passwords but often don't.

Perhaps the team's biggest coup comes during their second try at social engineering, when Muhl and I act as college students interested in touring one of the company's largest offices.

Advertisement

As before, we walk in the front door and approach a secretary, this time explaining we're students here to meet Bill*, who Muhl called the day before to schedule a time. He told him he was doing research for a class on renewable energy.

"Sure just go ahead and sign in," the woman tells us, explaining that he'll be right out.

I have an entire back story made up of why I have a California ID card when I'm going to college in another state, but as it turns out, she never asks for either of ours.

Bill comes and meets us, taking us back to a small conference room. We take a seat, and on the table he has various print-outs about the power company, and he's brought along his computer. We have a friendly conversation, and Muhl asks various questions over about 20 minutes. It's all smoke and mirrors, of course; a way for Muhl to build rapport so he can get what he really came for: Bill's access badge.

Advertisement
Kurt Muhl carrying his RFID scanner
Kurt Muhl carrying his RFID scanner Paul Szoldra/Tech Insider

Muhl brought along what looks like a laptop case to carry his notepad, but what's really inside the black bag is a device that will scan anyone's RFID badge who happens to come within two to three feet of it and store it in memory, so the hacker team can clone it for later use.

Now wrapping up, Bill takes us around the facility and points out things of interest to Muhl as I take video. Though we've told him videos and photo will vastly improve our college PowerPoint presentation, in truth it will be indispensable to the rest of RedTeam for planning of that night's after-hours entry.

Among the things Muhl will point out to the team later is a black box with what looks like network gear inside and a box that seems to control key card access, all inside a room where the door is propped open by a garbage can.

"After 9/11 and [The Department of] Homeland Security," Bill says as he leads the way. "They're worried that if they get into our dispatch, we have the technology now where you can send one command to turn off people's power. Because we're all automatic metered."

Advertisement

He adds: "Somebody gets into that, you can have some serious problems."

open door
Paul Szoldra/Tech Insider

I feel guilty upon hearing this. At some point during the tour, Muhl has gotten his device close enough to capture Bill's badge, making his worry about someone getting into their dispatch a reality very soon. And we've been lying to this man for nearly an hour.

"Now comes to breaking and entering," Muhl says, as we talk over what happened a few minutes after we leave.

We drive back to the hotel where the rest of RedTeam is busy inside the company's networks grabbing passwords in memory and seeing what machines are online. I'm reassured by the fact that this is only a test, ultimately meant to help the people we had deceived.

Advertisement

Once the report is submitted to the company, perhaps many employees will take security more seriously, be suspicious of strangers walking into their offices, and, hopefully, refrain from writing their passwords down.

'It does worry me'

Jeremiah Talamantes hacking
RedTeam Security President Jeremiah Talamantes hacking from the car. Paul Szoldra/Tech Insider

Talamantes tells me that he's done this kind of thing so many times — hacking other companies, even hospitals — that he's somewhat desensitized to the broader implications of his work. But even the hacking of critical infrastructure such as a power company arouses at least some fear.

"Overall, [this company's] security posture, they think, is better than it really is," Talamantes says. "It does worry me."

The worry is not unfounded.

Advertisement

While many hacks result in some form of data breach revealing personal information, the lights can be turned off if an attacker finds the right computer, as happened recently with a cyberattack in Ukraine. An attack on critical infrastructure is a serious enough concern that the White House has offered guidance, and the NSA Director recently told a cybersecurity conference it was a matter of "when, not if" an attack like RedTeam's simulated one actually occurs, though a recent Homeland Security report downplayed that scenario as "possible, but not likely."

The power company that hired RedTeam is a rural electric cooperative, one of nearly 1,000 such companies responsible for distributing power to tens of millions of Americans. Although they aren't the biggest targets, they have been called one of the biggest risks based on their relatively limited security measures. Taking one of them down could definitely knock out local power. It's unknown whether infiltrating one of them could let hackers attack the broader grid.

For now, companies like these are hurrying to protect themselves. Notably, the company in this article says it has taken measures to protect itself from the vulnerabilities RedTeam found.

"When someone breaks into your house, you feel violated at first, and then get down to the business of how and why it happened [before] fixing it," Susanne*, an IT leader with the company, tells my colleague in an interview on our last day. "After the initial anger, our employees really learn a lot ... often the humans in the loop are the weakest link."

Advertisement

And that's really the biggest threat to a company's network. The overarching point I take away from this experience is not that hackers can do all kinds of terrifying things — though they often can — or that everyone needs to change their passwords and should constantly be on guard. RedTeam's test shows that people, not passwords, are often the weakest part of an organization, and they are much easier to "hack" than a code typed into a computer.

* Though all names used in this story for employees of RedTeam Security are real, names of employees of the company it tested have been changed to protect their identities.

Cybersecurity
Advertisement
Close icon Two crossed lines that form an 'X'. It indicates a way to close an interaction, or dismiss a notification.

Jump to

  1. Main content
  2. Search
  3. Account