Hackers have stolen sensitive information from American energy companies -- and have planted malware in the energy grid with the intent to turn off the lights in the future.
They even managed to infect at least three energy companies with Cryptolocker ransomware, a particularly nasty computer virus that locks digital files and demands a ransom payment.
Newly released documents from the Department of Homeland Security are finally shedding some light on what exactly hackers are doing when they sneak into the American electrical grid.
The DHS intelligence assessment -- originally dated January 27, 2016 -- was published by Public Intelligence, a research project that shares secretive documents to educate people.
Some of the attacks described in the report are potentially serious.
Aggressive foreign government hackers broke into American companies 17 times between October 1, 2013 and September 30, 2014, according to DHS. In two cases they snuck into U.S. petroleum organizations, and hackers are "suspected of exfiltrating data" from one of them.
It's rare, but highly sophisticated foreign government hackers have gotten inside the energy grid, DHS said. They hack "primarily to conduct cyber espionage ... to conduct a damaging or disruptive attack in the event of hostilities with the United States," DHS stated in a recent internal "intelligence assessment."
That sounds alarming, but DHS is throwing cold water on any present worries. The agency concluded that damaging cyberattacks against the American energy sector is "possible but not likely."
That calm demeanor doesn't sit well with some cybersecurity experts. Ryan Duff is a researcher and former member of U.S. Cyber Command, the American military's hacking unit. He warned that once a hacker gets into a computer -- even if physical damage hasn't been caused yet -- the potential is there.
"While I agree with the DHS assessment overall, it's still pretty frightening," he said. "The fact is that the ability to cause destruction exists. Their assessment that attack is unlikely is based on political realities instead of technical realities. Attack is way more than technically possible."
DHS prefers to label these cyber incidents as "espionage or some other activity," rather than "cyberattacks." To date, there have been "no damaging or destructive attacks against the U.S. energy sector," DHS said.
"The majority of malicious activity occurring against the U.S. energy sector is low-level cybercrime that is ... not meant to be destructive," DHS analysts wrote.
Kyle Wilhoit, who investigates these types of hacks for Trend Micro (, said criminal hackers sometimes gain access to sensitive machinery by mistake. )
"Most of the attacks that we've witnessed against this sector are in fact criminal in nature," he told CNNMoney. "In some cases we even see criminals not realizing the importance of some of the machines [they gained access to.]"
The agency cautions against media using the term cyber "attack," although it's own 2013 advisory refers to cyber "attack" 56 times.
Closely guarded secrets
Government investigators typically keep silent about potentially destructive hacks targeting the U.S. energy sector.
A CNNMoney investigation last year showed that Corporate America keeps huge hacks secret by having the government deem any evidence "Protected Critical Infrastructure Information," which is then specially guarded from public view.
No companies with computers infected by hackers are mentioned by name. And details are slim.
For example, in 2014, CNNMoney reported that the U.S. energy grid was attacked 79 times that year. Publicly available documents would only say that the government's talented computer hacking SWAT team "responded to... incidents." And "the majority of these incidents involved attacker techniques" like fake websites and spam email.
But it wouldn't say what those incidents were -- only that they were investigated by the Industrial Control Systems Cyber Emergency Response Team, otherwise known as ICS-CERT.
Retired General Michael Hayden, who led the NSA and later the CIA, told CNNMoney in January that the country keeps too many hacks secret, which limits its ability properly guard the nation.