The attack was first detected in the spring of 2016 and continued throughout 2017, the Journal reported, citing officials at the Department of Homeland Security.
It was carried out by hackers who worked for a Russian state-sponsored group previously known as Dragonfly or Energetic Bear, the Journal reported. DHS officials said the hacking campaign is likely to continue.
DHS did not immediately respond to CNBC's request for comment.
Some companies that were compromised may not yet know they have become a victim in a Russian attack, according to the report. That's because the hackers used the identities of actual employees to enter the utility networks — complicating efforts to detect the intrusions.
Since 2014, DHS has been warning utility companies about the possibility of being targeted by Russian hackers, according to the report.
Russia has denied targeting "critical infrastructure" in the U.S., the Journal said.