A recent experiment suggests that foreign governments are not the only significant threats that America’s critical infrastructure faces.

The Massachusetts-based security company Cybereason set up a “honey pot,” or fake industrial control system, and found that suspected criminals broke into the network seemingly with the aim of financial profit, ransom or trophy hunting.

The experiment “showed a whole new tier of threat actor that operates against these highly sensitive systems,” Ross Rustici, Cybereason’s senior director of intelligence, told Fifth Domain during the Black Hat conference in Las Vegas. “When you talk about the industrial control system, you don’t think of the criminal network. It’s almost always the nation-state actors.”

This new research comes as the Department of Homeland Security and the Federal Bureau of Investigation (as exhibited in a series of webinars) have boosted efforts to protect critical infrastructure systems from Russia-based cyberattacks.

The network that Cybereason set up looked like any other power grid’s platform. It had fabricated traffic and data. After launching the operation, the group saw typical low-level hacks using cryptocurrency miners and port attacks.

But a first group of attackers successfully penetrated the fake power company’s network. Rustici said the group was “laser focused on gaining access to the industrial control system.” They created additional accounts for remote access. Then, traffic quieted down.

Days later, activity exploded again. Rustici said that the first group of attackers sold their access to a second group. The ultimate intentions of this new collective of hackers are unknown. But Rustici speculated that they were either looking for bragging rights to drum up future business, or hoping to parlay their access into ransom.

Exactly who was behind the hack is still unclear, but Rustici said they were not as sophisticated as a typical nation-state. That could be a bigger risk for power companies because the hackers might make a costly mistake that accidentally shuts down the system.

Criminal elements hacking the industrial grid is “probably a trend that never fell off, it just went underground," Rustici said. “Companies don’t want to admit they paid ransom.”

Justin Lynch is the Associate Editor at Fifth Domain. He has written for the New Yorker, the Associated Press, Foreign Policy, the Atlantic, and others. Follow him on Twitter @just1nlynch.

More In Cyber