Russian hackers have won remote access to the control rooms of many US power suppliers, the Wall Street Journal reports.
The access could have let them shut down networks and cause blackouts, US officials told the newspaper.
The state-backed hackers won access even though command centre computers were not directly linked to the web.
The attacks succeeded by targeting smaller firms which supply utilities with other services.
The group behind the attacks, known as Dragonfly or Energetic Bear, has been traced to Russia and had racked up “hundreds of victims”, said the Department of Homeland Security (DHS). The attacks are ongoing, it added.
The hackers seem to have used tightly-targeted attacks to compromise the corporate networks of suppliers,
The attacks used emails sent to senior staff or sought to make them visit spoofed or hacked social media sites,
Once the groups won access, they carried out detailed reconnaissance to familiarise themselves with how plants and power systems worked.
The DHS took steps to warn energy suppliers as the extent of the penetration became known, said the Wall Street Journal.
The Federal agency took the unusual step of publicly talking about the attacks to raise awareness among companies that may not yet know they have been caught out.
“They’ve been intruding into our networks and are positioning themselves for a limited or widespread attack,” former US deputy assistant secretary of defence Michael Carpenter told the paper. Mr Carpenter now lectures at the University of Pennsylvania.
Cyber-security expert Robert M Lee, who helped investigate the attacks when they first came to light last year, said the threat to industrial infrastructure had to be taken “seriously.”
Attacks were “getting far more aggressive and numerous,” he said in a tweet about the WSJ story.
However, he said, the attacks marked the start of Russian attempts to manipulate power grids and he criticised overblown claims of the control the hackers had won.
Russia has consistently denied staging hack attacks on infrastructure.
Ukraine has suffered two hacks on its power grid, one in 2015 and the other in 2016. The first affected 225,000 and the second knocked out about one-fifth of Kiev’s power consumption. Both have been linked to Russian hackers.
The information about the US attacks comes soon after the country indicted 12 people for allegedly interfering with the 2016 US presidential election.