Russia planted sabotage-enabling malware in U.S. energy grid, other critical infrastructure
The Russian hackers never went so far as to sabotage or shut down the computer systems of the various companies and organizations they infiltrated – systems which guide the operations of the plants.
Still, new computer screenshots released by DHS on Thursday show that Russian government hackers had gained foothold they would have needed to manipulate, sabotage, or shut down power plants.
In a report made public in October, Symantec noted that a Russian hacking unit “appears to be interested in both learning how energy facilities operate and also gaining access to operational systems themselves, to the extent that the group now potentially has the ability to sabotage or gain control of these systems should it decide to do so.”
“We now have evidence they’re sitting on the machines, connected to industrial control infrastructure, that allow them to effectively turn the power off or effect sabotage,” Eric Chien, a security technology director at Symantec, a digital security firm, told the Times.
“From what we can see, they were there. They have the ability to shut the power off. All that’s missing is some political motivation,” Chien said.
The U.S. intelligence community has been aware since last June of the scope and reach of Russia’s attacks on U.S. infrastructure – but yesterday joint FBI-DHS alert is the first time the administration names Russia as the perpetrator of the attacks.
The cybersecurity alert issued by the FBI and DHS said: “DHS and FBI characterize this activity as a multi-stage intrusion campaign by Russian government cyber actors who targeted small commercial facilities’ networks where they staged malware, conducted spear phishing and gained remote access into energy sector networks.”
“After obtaining access, the Russian government cyber actors conducted network reconnaissance, moved laterally, and collected information pertaining to industrial control systems,” the alert added.
In addition to the Russian cyberattacks on U.S. critical infrastructure assets, the U.S. Treasury Department cited Russian interference in the 2016 election as another reason for the new round of sanctions. Sanctions were imposed on the three main Russian actors – Russia’s two main intelligence services, the FSB and the GRU, and the GRU-operated IRA troll farm — which orchestrated the Kremlin’s campaign of interference in the 2016 election.
As a result of Russia’s election interference, U.S. officials said that thousands of Russian-planted stories reached “millions of people online” during the U.S. presidential campaign.
The Times notes that the new sanctions are the broadest set of U.S. punitive measures against Russia since the Trump administration came to power, and that many of the targets of the new sanctions are the same as those indicted by Robert Mueller.
The sanctions were also imposed for the role of Russian intelligence hackers played in writing and in distributing the NotPetya malware and ransomware. Officials said the NoPetya attack was initially aimed to damage Ukraine, but was allowed to “propagate recklessly without bounds” and caused an estimated $10 billion in damage around the world, making it the most damaging and costliest cyberattack in history.
“The administration is confronting and countering malign Russian cyber-activity, including their attempted interference in US elections, destructive cyber-attacks, and intrusions targeting critical infrastructure,” Steven Mnuchin, the treasury secretary, said in a statement.
“These targeted sanctions are a part of a broader effort to address the nefarious attacks emanating from Russia. Treasury intends to impose additional … sanctions, informed by our intelligence community, to hold Russian government officials and oligarchs accountable for their destabilizing activities by severing their access to the U.S. financial system.”
Cybersecurity experts note that the Russian government hackers who conducted the energy attacks belong to a different group from the two groups of hackers which were involved in the 2016 election interference.
This would suggest that there were at least three separate Russian cyberoperations which were being conducted simultaneously. Two of the operations were geared to help Trump win the election: One focused on stealing documents from the Democratic National Committee, the Clinton campaign, and other political groups. The second, conducted by the St. Petersburg-based IRA troll farm, used social media to reach 126 million Americans with false postings, fake news, and misleading assertions aiming sow discord and division along racial, ethnic, and religious lines. The third effort sought to infiltrate U.S.(and European) critical infrastructure nodes.
The Times notes that private security firms have tracked the Russian government assaults on Western power and energy operators — conducted alternately by groups under the names DragonFly, Energetic Bear, and Berserk Bear — since 2011, when the Russian government first started targeting defense and aviation companies in the United States and Canada.
By 2013, researchers had linked the Russian government hackers to hundreds of attacks on energy grid and oil and gas pipeline operators in the United States and Europe. The cyberattacks initially appeared to be motivated by industrial espionage — researchers say that at the time is was a natural conclusion to draw, given the importance of Russia’s oil and gas industry.
But by December 2015, the Russian hacks had taken an aggressive turn. The attacks were no longer aimed at intelligence gathering, but at potentially sabotaging or shutting down the operation of infrastructure facilities.
Security experts do not regard the sanctions announced on Thursday as tough enough to cause the Kremlin to rethink its campaign of political interference and infrastructure infiltration.
Lt. Gen. Paul Nakasone, who has been nominated as director of the National Security Agency and commander of United States Cyber Command, said during his Senate confirmation last week that countries attacking the United States so far have little to worry about.
“I would say right now they do not think much will happen to them,” General Nakasone said. He later added, “They don’t fear us.”
