Treasury Secretary Steven Mnuchin issued a statement on Thursday announcing sanctions against Russia for meddling in the 2016 presidential election, launching the costly NotPetya cyberattack, and making “intrusions targeting critical infrastructure.”
National security officials separately accused Russia of conducting an ongoing operation to destabilize the U.S. electrical grid, based on intelligence from the FBI and the Department of Homeland Security. Here’s a quick guide for understanding what these accusations mean—and how you hack an electrical grid.
What did the Russian hackers allegedly do?
Anonymous security officials told reporters that Russian intelligence breached computer systems for the electricity grid and conducted “network reconnaissance.”
The Department of Homeland Security and FBI also issued an alert characterizing the attack as a “multi-stage intrusion campaign by Russian government cyber actors who targeted small commercial facilities’ networks where they staged malware, conducted spear phishing, and gained remote access into energy sector networks.”
How’d they do it?
The hackers used a variety of methods, such as sending Word documents laced with malware to steal logins and passwords from people at smaller companies. After gaining a foothold, the hackers then invaded the networks of bigger targets to purloin information about industrial control systems for critical infrastructure.
Robert Lee, the CEO of cybersecurity firm Dragos, told Slate over email: “The information from DHS is a great amplification of what has been known to the community already. We reported this threat and the activity to our customers in late 2017.”
Are they still in the grid?
The officials claim that the government has assisted the affected energy companies in expelling the hackers, though there is a possibility that there are additional undiscovered breaches.
Why were they gathering this information?
There are two stages of an attack on systems that control energy generation and distribution for a power grid, says Sergio Caltagirone, director of threat intelligence at Dragos.
The first stage involves an adversary infiltrating to spend at least nine months gathering intelligence on energy companies and infrastructure. This a precursor to a potential attack in the second stage.
However, just because hackers have initiated the first stage, it doesn’t mean an attack is imminent—and it’s difficult to tell what kind of attack they could be planning. Caltagirone told Slate, “The information gathered would only really be useful in a potential attack scenario. … But we don’t know what kind of attack they are preparing for or considering.”
The most likely reason for the numerous breaches is that the hackers are just gathering information to have in case they ever wanted to use it to disrupt the grid in the future. But Caltagirone thinks that the chances of an actual attack later on are pretty low. He said, “Any actor worth their salt knows that if you take down a country’s electrical grid, you’re probably setting yourself up for an act of war.”
Researchers at Dragos are more concerned that hackers attempting to conduct a test on a smaller regional operator could make a costly mistake. A haywire test would inadvertently set off a power outage, which could affect hospitals, safety controls for plants, and cause other life-threatening scenarios. Because of this possibility, Caltagirone emphasized, “Any adversary operating within civilian infrastructure and control systems should be a clear and automatic red line for the entire world community.”
Did we know that hackers were targeting the U.S.’s electricity infrastructure before?
Yes. In September, a cybersecurity firm called Symantec warned that a group it called DragonFly 2.0 had infiltrated dozens of U.S. power companies over the course of nine months. Though the hackers obtained access that would’ve allowed them to shut down energy production and distribution operations, they held back. National security experts at the time said the breach was likely a warning from Russia.
Thursday’s alert said the energy grid hacking it describes is related to the DragonFly campaign. “All we’ve seen from DragonFly so far is information gathering,” said Caltagirone, “They’ve been very good at doing it. They’ve been doing it longer than anyone else in the world, based on the public intelligence that’s available.” Yet, DragonFly isn’t known for launching attacks. In most cases, it’s usually another group that steps in to conduct a second stage attack based on the information gathered in the first stage.
Have the Russians allegedly done this anywhere else?
Ukraine, often a testing ground for Russian cyberoffensives, has twice blamed Russia for attacks on its electrical grid. In 2015, more than 23,000 residents lost power after a Russian hack that downed around 30 substations and backup power supplies. The Washington Post then reported in June that hackers associated with the Kremlin had developed malware that knocked out one-fifth of the power generated in the Ukrainian capital Kiev in 2016. Dragos found that the hackers could modify the malware to attack systems in the U.S. and other countries.
“Everything that happened in this report [from the FBI and DHS] happened in the Ukraine, minus the disruption,” Caltagirone said. “What somebody does to Ukraine is probably going to be very similar to what someone does to the U.S. or Nigeria. The initial steps are common across the threat spectrum. What’s unique is what they do next. That’s something this report doesn’t go into because we don’t actually think the adversary has taken those next steps yet.”