Hacker Selling 139GB of US Utility Engineering Data

A threat actor is selling 139 gigabytes of engineering data stolen from Pickett USA, a Florida-based firm that provides surveying and mapping services to major utilities. The data includes detailed LiDAR scans of transmission line corridors, substation layouts, and infrastructure specifications for Tampa Electric Company, Duke Energy Florida, and American Electric Power.

The asking price is 6.5 bitcoin—roughly $585,000 at current exchange rates. The seller also accepts Monero for buyers who prefer additional transaction privacy.

What Was Stolen

The data dump advertised on dark web forums contains 892 files spanning multiple engineering disciplines:

• 800+ raw LiDAR point cloud files (.las format) covering transmission line corridors and substations
• Classified layer data for bare earth, vegetation, conductors, and structures
• High-resolution orthophotos (.ecw format) of infrastructure locations
• MicroStation design files (.dgn) and PTC settings for engineering work
• Vegetation feature files (.xyz format) for corridor management
• Preserved folder structures from active projects

LiDAR (Light Detection and Ranging) data is particularly sensitive for critical infrastructure. These scans provide precise three-dimensional measurements of transmission lines, poles, towers, and surrounding terrain. Combined with the design files, an adversary would have detailed blueprints for physical infrastructure serving millions of customers.

Why This Data Matters

Physical security at utilities depends partly on obscurity. While power lines are visible to anyone driving by, the detailed engineering specifications, load calculations, and structural tolerances aren't public information. That data helps defenders understand vulnerabilities and plan protections.

An adversary with comprehensive LiDAR surveys and design files could:

• Identify weak points in transmission infrastructure
• Plan physical attacks with precise location data
• Understand vegetation clearance patterns to predict maintenance windows
• Map substation layouts for targeted operations
• Feed data into AI models for infrastructure analysis

The energy sector has faced increasing attention from nation-state actors. Russia's attacks on Ukrainian power infrastructure demonstrated how detailed knowledge of electrical systems enables targeted disruption. While this breach doesn't provide operational access, it provides the reconnaissance data attackers typically need before physical operations.

About Pickett USA

Pickett USA, headquartered in Tampa, operates across the US and Caribbean providing:

• Transmission and distribution line design
• Project management for utility infrastructure
• Surveying and aerial mapping
• LiDAR scanning and analysis

The firm works directly with utilities on infrastructure projects, meaning its systems contain sensitive data for multiple energy companies. Breaching a single engineering contractor provides access to data spanning several utilities—a more efficient target than attacking utilities individually.

Utility Response

Duke Energy has confirmed it is investigating the claims. A Duke spokesperson acknowledged awareness of the alleged breach but declined to comment on specifics while the investigation continues.

Tampa Electric and American Electric Power have not issued public statements. The Register contacted Pickett USA, and a spokesperson declined to comment on the alleged breach.

The authenticity of the data has not been independently verified. However, the specificity of the file types, project naming conventions, and organizational structure suggests familiarity with utility engineering workflows rather than fabricated claims.

How the Breach Likely Occurred

Security researchers examining the listing speculate this wasn't a sophisticated zero-day attack. One analyst noted the breach was "likely not a result of a zero-day exploit against a server, but a failure of identity trust"—pointing to compromised credentials, phishing, or insider access as probable vectors.

Engineering firms often prioritize accessibility over security. Field crews, subcontractors, and utility partners need access to project files, creating pressure to keep systems open. That accessibility creates risk when credentials fall into the wrong hands or when employees fall for phishing attacks.

Broader Implications

This breach highlights a persistent risk in critical infrastructure security: the supply chain. Utilities invest heavily in securing their own systems but depend on contractors, vendors, and partners who may not maintain equivalent security standards.

Engineering and surveying firms like Pickett USA sit in a privileged position. They need detailed information about infrastructure to do their work. When those firms are breached, the exposure extends to every utility they serve.

Federal agencies have repeatedly warned about attacks on energy sector supply chains. CISA's ongoing campaigns to improve utility cybersecurity acknowledge that protecting the sector requires securing the entire ecosystem—not just the utilities themselves.

What Utilities Should Do

1. Audit contractor access - Review what data engineering partners can access and whether they need all of it
2. Require security attestations - Make cybersecurity requirements part of vendor contracts
3. Implement data loss prevention - Monitor for large file transfers from engineering systems
4. Segment project data - Don't give contractors access to data from projects they're not working on
5. Plan for exposure - Assume sensitive engineering data may eventually leak and build resilience accordingly

The energy sector's attack surface extends far beyond utility control rooms. Every contractor with a CAD workstation containing infrastructure specifications represents potential exposure. Until the industry addresses supply chain security systematically, breaches like this will continue.