Russia’s cyber operations likely extend beyond our elections and against our critical infrastructure.
Last year, former CIA Director John Brennan was asked “What keeps you up at night?” during an interview with 60 Minutes. NSA Director Admiral Michael Rogers was asked the same question in an interview the year before. Rather than citing the threat of Islamist terrorism or North Korea’s nuclear weapons programs, they both clearly stated that cyber attacks against our critical infrastructure, such as our nuclear power plants, financial systems, and water treatment systems pose a potentially crippling threat that could cause billions in damage and potentially the loss of life. Rather than using its computer network exploitation (CNE) and offense (CNO) abilities to just collect information, it is integrating its capabilities in information warfare campaigns to interfere in elections in Western nations and weaponizing its cyber tools to damage the critical infrastructure and command and control systems of adversarial nations.
For many Americans, the hacking of the Democratic National Committee (DNC) was the first time they learned about the political impacts of cyber operations. The FBI, CIA, and NSA released a Joint Analysis Report (JAR) earlier this year providing unclassified details on Russian military and civilian cyber efforts to undermine the 2016 presidential election. They state that two “advanced persistent threats “ (APTs) were involved in the hacking of the DNC. APT29 hacked the DNC in the summer of 2015 and APT28 infiltrated DNC computer networks in the spring of 2016. These APTs used techniques and tools consistent with other Russian CNE and CNO activities. They used spearphishing, or sending fake emails to specific accounts with shortened URLs linking to Remote Access Tools (RATs), that can be used by the hackers to infiltrate computer networks. APTs are not inherently malicious in nature, meaning that their purpose is not to cause damage, but to collect data. However, DNC emails began appearing on a website called DC Links in June 2016, and soon after, on Wikileaks. Private sector cybersecurity firms such as Fireeye’s Mandiant have a “medium confidence” that APT28 is affiliated with GRU, or Russia’s foreign military intelligence agency, and have named APT28 “Fancy Bear.” APT29 uses cyber tools which Mandiant has called “HAMMERTOSS,” which stealthily installs malware using code obfuscation and uses steganography and social media to send commands to the malware. It is believed that APT29 is affiliated with GRU through its behavior. APT28 and APT29, which hacked the DNC, are believed by the U.S. Intelligence Community to be Russian operations to undermine our elections. However, Russian APTs likely extend their operations beyond our electoral systems and into our critical infrastructure.
According to the U.S. Department of Homeland Security, there are “16 critical infrastructure sectors whose assets, systems, and networks, whether physical or virtual, are considered so vital to the United States that their incapacitation or destruction would have a debilitating effect on security, national economic security, national public health or safety, or any combination thereof.” An example of our critical infrstructure includes our energy sector, which generates, transmits, and distributes electrical energy through our power grid through a maze of power plants, high voltage lines, towers, underground cables, transformers, breakers, relays, and substations. An attack upon a vulnerable point in our electrical grid could create a cascading effect that could see entire regional grids shut down and create serious blackouts. These blackouts could cause potentially hundreds of billions in damage, and threaten lives.
Russia is already using cyber weapon to attack the energy sector in Ukraine. Using similar tactics that were used against the DNC, In December 2015, Russian hackers used spearphishing against specific energy sector employees with malware and stole their login credentials, which they used to shut down nearly 60 substations in the Ivano-Frankivsk region. The same malware has been detected in U.S. information systems that manage our own energy grid. Russia may also be placing malware in our water treatment systems, transportation infrastructure, financial systems, and defense industry systems, placing them in strategic positions to not just collect data as they did with the DNC, but as weapons to damage our critical infrastructure in an attack against the United States. APT28 and APT29 took deliberate efforts to hide themselves within the DNC’s information systems. They are likely also using similar tradecraft to remain hidden in information systems, such as the Supervisory Control and Data Acquisition software that manages automated systems.
The 2010 STUXNET attack against Iran’s Natanz nuclear facilities used “zero day exploits” to infiltrate SCADA systems, specifically the Programmable Logic Controllers (PLCs) that controlled its centrifuges that it used to enrich uranium. Rather than taking down all the centrifuges all at once, the attack slowly attacked PLCs, making the scientists believe that the centrifuges were failing on their own, rather than failing in a cyber attack. STUXNET was the first time a cyber weapon was used to deliberately attack a foreign country’s facilities with the intent of creating actual harm.
Russia has taken notice, along with China and North Korea that cyber weapon can be used as offensive weapons of war, rather than being used as tools of espionage. Rather than using kinetic weapons to disable critical infrastructure and information systems, cyber weapons are cheaper, require less manpower, and reduce risk of attribution. In the event of a cyber attack, we may not know who is conducting the attack for days, weeks, months, or even years. Even now, there is no direct evidence that APT28 and APT29 are GRU operations. This is due to their efforts to conceal and obfuscate their activities. Putin has denied government CNE and CNO operations, claiming that they are being conducted by “patriotic hackers.”
The next act of war against the United States could seem more like the aftermath of Hurricane Katrina than Pearl Harbor. We may see coordinated attacks against three or more critical infrastructure systems that are codependent upon each other, resulting in massive economic damage and enormous risk to human life. For example, water treatment facilities may have their SCADA systems hacked, in which toxins are released by bacteria and algae that aren’t properly filtered. We could see financial systems hacked that could halt trading on stock exchanges by locking traders out of information systems that they use to make decisions. And we could possibly see PLCs hacked that control the coolant systems of nuclear power plants, potentially causing damage that could release radioactivity into the atmosphere. We wouldn’t know how the attack was conducted possibly months or years after the attack, and we would never definitely know with high confidence who conducted the attack, leaving the U.S. military essentially powerless in a response. The malware that could launch these attacks could already be installed in the information systems in our critical infrastructure facilities, waiting for the trigger to be pulled.
The threat of cyber warfare must be taken seriously by American policymakers, decision makers, and the public. Russia has a long history of using its cyber offense capabilities not in just the United States and Ukraine, but also in its war against Georgia and against Estonia. It is also likely using its cyber capabilities in support of information warfare operations against European countries to empower right wing isolationist candidates, as we saw when Macron’s emails were leaked online to empower Marine Le Pen. Despite billions in investment in cybersecurity, there will always be vulnerabilities to be exploited, and we must remain vigilant and prepared in the event of a potentially crippling first strike in what could be a next major war.
