Russia Reaches into Electrical Grid

July 24, 2018

translines2

Nightmare scenario.
November 2018, Election night thrown into chaos as blackouts descend across blue states on the eastern seaboard, and throughout much of the Midwest.

Wired:

The Cyber-Cassandras said this would happen. For decades they warned that hackers would soon make the leap beyond purely digital mayhem and start to cause real, physical damage to the world. In 2009, when the NSA’s Stuxnet malware silently accelerated a few hundred Iranian nuclear centrifuges until they destroyed themselves, it seemed to offer a preview of this new era. “This has a whiff of August 1945,” Michael Hayden, former director of the NSA and the CIA, said in a speech. “Somebody just used a new weapon, and this weapon will not be put back in the box.”

Now, in Ukraine, the quintessential cyberwar scenario has come to life. Twice. On separate occasions, invisible saboteurs have turned off the electricity to hundreds of thousands of people. Each blackout lasted a matter of hours, only as long as it took for scrambling engineers to manually switch the power on again. But as proofs of concept, the attacks set a new precedent: In Russia’s shadow, the decades-old nightmare of hackers stopping the gears of modern society has become a reality.

And the blackouts weren’t just isolated attacks. They were part of a digital blitzkrieg that has pummeled Ukraine for the past three years—a sustained cyber assault unlike any the world has ever seen. A hacker army has systematically undermined practically every sector of Ukraine: media, finance, transportation, military, politics, energy. Wave after wave of intrusions have deleted data, destroyed computers, and in some cases paralyzed organizations’ most basic functions. “You can’t really find a space in Ukraine where there hasn’t been an attack,” says Kenneth Geers, a NATO ambassador who focuses on cybersecurity.

Wall Street Journal:

Hackers working for Russia claimed “hundreds of victims” last year in a giant and long-running campaign that put them inside the control rooms of U.S. electric utilities where they could have caused blackouts, federal officials said. They said the campaign likely is continuing.

The Russian hackers, who worked for a shadowy state-sponsored group previously identified as Dragonfly or Energetic Bear, broke into supposedly secure, “air-gapped” or isolated networks owned by utilities with relative ease by first penetrating the networks of key vendors who had trusted relationships with the power companies, said officials at the Department of Homeland Security.

“They got to the point where they could have thrown switches” and disrupted power flows, said Jonathan Homer, chief of industrial-control-system analysis for DHS.

DHS has been warning utility executives with security clearances about the Russian group’s threat to critical infrastructure since 2014. But the briefing on Monday was the first time that DHS has given out information in an unclassified setting with as much detail. It continues to withhold the names of victims but now says there were hundreds of victims, not a few dozen as had been said previously.

It also said some companies still may not know they have been compromised, because the attacks used credentials of actual employees to get inside utility networks, potentially making the intrusions more difficult to detect.

Experts have been warning about the Russian threat for some time.

“They’ve been intruding into our networks and are positioning themselves for a limited or widespread attack,” said Michael Carpenter, former deputy assistant secretary of defense, who now is a senior director at the Penn Biden Center at the University of Pennsylvania. “They are waging a covert war on the West.”

Russia has denied targeting critical infrastructure.

Mr. Homer said the cyber-attack, which surfaced in the U.S. in the spring of 2016 and continued throughout 2017, exploited relationships that utilities have with vendors who have special access to update software, run diagnostics on equipment and perform other services that are needed to keep millions of pieces of gear in working order.

The attackers began by using conventional tools—spear-phishing emails and watering-hole attacks, which trick victims into entering their passwords on spoofed websites—to compromise the corporate networks of suppliers, many of whom were smaller companies without big budgets for cybersecurity.

Once inside the vendor networks, they pivoted to their real focus: the utilities. It was a relatively easy process, in many cases, for them to steal credentials from vendors and gain direct access to utility networks.

Then they began stealing confidential information. For example, the hackers vacuumed up information showing how utility networks were configured, what equipment was in use and how it was controlled. They also familiarized themselves with how the facilities were supposed to work, because attackers “have to learn how to take the normal and make it abnormal” to cause disruptions, said Mr. Homer.

Their goal, he said: to disguise themselves as “the people who touch these systems on a daily basis.”

DHS is conducting the briefings—four are planned—hoping for more industry cooperation. One thing the agency is trying to learn is whether there are new infections, and whether the Russians have figured out ways to defeat security enhancements like multifactor authentication.

In addition, DHS is looking for evidence that the Russians are automating their attacks, which investigators worry could presage a large increase in hacking efforts. “To scale, they’re eventually going to have to automate,” Mr. Homer said.

“You’re seeing an uptick in the way government is sharing threats and vulnerabilities,” said Scott Aaronson, a cybersecurity expert for Edison Electric Institute, the utility industry trade group. He said information sharing and penetration detection have gotten much better since the Dragonfly attacks began.

It isn’t yet clear whether the hackers used their access to prepare the battlefield for some future, devastating blow, investigators said. For example, many experts fear that a skilled technician could use unfettered access to change some equipment’s settings. That could make them unreliable in unexpected ways, causing utility engineers to do things that would result in extensive damage and potentially lengthy blackouts.

The Hill:

The newly disclosed details of the Russian campaign comes amid growing concerns about Russia’s efforts to interfere in the 2018 midterm elections.

President Trump has endured a week of criticism from Republicans and Democrats after he stood next  Russian President Vladimir Putin in Finland and cast doubt on whether Russia interfered in the 2016 election.

He later walked back the statement and expressed confidence in the intelligence community’s conclusion, though he added that it could have been others besides Russia that interfered.

Director of National Intelligence Dan Coats warned shortly before Trump met with Putin that “warning lights are blinking red” to indicate that Russia is preparing to launch another campaign to interfere in U.S. elections.

 

Advertisements

One Response to “Russia Reaches into Electrical Grid”

  1. doldrom Says:

    Nothing has been revealed in terms of evidence that even comes close to the stuxNet virus or the CIA’s Vault7. Some of the Ukrainian hacks were done on unprotected network attached old Windows 98 systems. All this red lights blinking by the US “intelligence community” is breathless projection — the psychological mechanism which Jesus illustrated with the splinter and beam in you eye. The USA has just announced they are going to spend billions more interfering in Iran’s internal politics and systems.


Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: