For three years, Russian cyber warriors have been terrorizing Ukraine. Their ultimate goal? Learning how to terrorize the United States.
The Clocks Read Zero When The Lights Went Out…
It was a Saturday night last December, and Oleksii Yasinsky was sitting on the couch with his wife and teenage son in the living room of their Kiev apartment. The 40-year-old Ukrainian cyber security researcher and his family were an hour into Oliver Stone’s film “Snowden” when their building abruptly lost power.
“The hackers don’t want us to finish the movie,” Yasinsky’s wife joked. She was referring to an event that had occurred a year earlier, a cyber attack that had cut electricity to nearly a quarter-million Ukrainians two days before Christmas in 2015. Yasinsky, a chief forensic analyst at a Kiev digital security firm, didn’t laugh. He looked over at a portable clock on his desk: The time was 00:00. Precisely midnight.
After lighting candles, Yasinsky went to the kitchen window and looked out on a view of the city, as he’d never seen it before: The entire skyline around his apartment building was dark. Only the gray glow of distant lights reflected off the clouded sky, outlining blackened hulks of modern condos and Soviet high-rises.
Noting the precise time and the date, almost exactly a year since the December 2015 grid attack, Yasinsky felt sure that this was no normal blackout. He thought of the cold outside – close to zero degrees Fahrenheit – the slowly sinking temperatures in thousands of homes, and the countdown until dead water pumps led to frozen pipes.
Yasinsky was an engineer and in the past 14 months, he found himself at the center of an enveloping crisis. A growing roster of Ukrainian companies and government agencies had come to him to analyze a plague of cyber attacks that were hitting them in rapid, remorseless succession. A single group of hackers seemed to be behind all of it.
Upon further investigating, he discovered that a piece of malware that had served as the hackers’ initial foothold: an all-purpose Trojan known as BlackEnergy. After many attacks on companies such as Ukrzaliznytsia, Ukraine’s biggest railway company, it was discovered that the hackers used BlackEnergy for access and reconnaissance, then KillDisk for destruction. He has no idea that by December 2015, BlackEnergy and KillDisk were also lodged inside the computer systems of at least three major Ukrainian power companies, lying in wait.
The Cyber-Cassandras said this would happen. For decades, they warned that hackers would soon make the leap beyond purely digital mayhem and start to cause real, physical damage to the world.
In Ukraine, the cyber-war scenario has come to life. Twice. On separate occasions, invisible saboteurs have turned off the electricity to hundreds of thousands of people. Each blackout lasted a matter of hours, only as long as it took for scrambling engineers to manually switch the power on again. But as proofs of concept, the attacks set a new precedent: In Russia’s shadow, the decades-old nightmare of hackers stopping the gears of modern society has become a reality.
The blackouts weren’t just isolated attacks. They were part of a digital blitzkrieg that has pummeled Ukraine for the past three years – a sustained cyber assault unlike any the world has ever seen. A hacker army has systematically undermined practically every sector of Ukraine: media, finance, transportation, military, politics, and energy. Wave after wave of intrusions have deleted data, destroyed computers, and in some cases paralyzed organizations’ most basic functions.
Kenneth Geers, a NATO ambassador who focuses on cyber security said, “You can’t really find a space in Ukraine where there hasn’t been an attack.”
In a public statement in December, Ukraine’s president, Petro Poroshenko, reported that there had been 6,500 cyber attacks on 36 Ukrainian targets in just the previous two months. Ukraine’s investigations point to the “direct or indirect involvement of secret services of Russia, which have unleashed a cyberwar against our country.”
It helps to understand Russia’s uniquely abusive relationship with its largest neighbor to the west. Moscow has long regarded Ukraine as both a rightful part of Russia’s empire and an important territorial asset – a strategic buffer between Russia and the powers of NATO, a lucrative pipeline route to Europe, and home to one of Russia’s few accessible warm-water ports. For all those reasons, Moscow has worked for generations to keep Ukraine in the position of a submissive smaller sibling.
Over the past decade and a half, Moscow’s leash on Ukraine has frayed, as popular support in the country has pulled toward NATO and the European Union. From the beginning, one of this war’s major fronts has been digital.
Yushchenko, who ended up serving as Ukrain’s president from 2005-2010, believes that Russia’s tactics, online and off, have one single aim: “To destabilize the situation in Ukraine, to make its government look incompetent and vulnerable. Russia will never accept Ukraine being a sovereign and independent country.”
Many global cyber security analysts have a much larger theory about the endgame of Ukraine’s hacking epidemic: They believe Russia is using the country as a cyber war testing ground – a laboratory for perfecting new forms of global online combat. And the digital explosives that Russia has repeatedly set off in Ukraine are ones it has planted at least once before in the civil infrastructure of the United States.
Back in the United States, a man named Robert Lee was to be married in his hometown of Cullman, Alabama. Lee had recently left a high-level job at a three- letter US intelligence agency, where he’s focused on the cyber security of critical infrastructure. Now he was settling down to launch his own security startup and marry the Dutch girlfriend he’d met while stationed abroad.
As Lee busied himself with wedding preparations, he saw news headlines claiming that hackers had just taken down a power grid in western Ukraine. A significant swath of the country had apparently gone dark for six hours. Lee blew off the story. He had heard spurious claims of hacked grids plenty of times, but they were usually caused by a rodent or a bird. The notion that squirrels represented a greater threat to the power grid than hackers had become a running joke in the industry.
The next day, just before the wedding, Lee got a text about the purported cyber attack from Mike Assante, a security researcher at the SANS Institute, an elite cyber security-training center. That got Lee’s attention: When it comes to digital threats to power grids, Assante is one of the most respected experts in the world. He was telling Lee that the Ukraine blackout hack looked like the real thing.
Just after Lee had said his vows and kissed his bride, a contact in Ukraine messaged him as well: The blackout hack was real, the man said, and he needed Lee’s help. Lee immediately retreated to his mother’s desktop computer in his parents’ house nearby. He pulled up maps of Ukraine and a chart of its power grid. The three power companies’ substations that had been hit were in different regions of the country, hundreds of miles from one another and unconnected. “This was not a squirrel,” Lee concluded with a dark thrill.
It appeared the hackers had spread through the power companies’ networks and eventually compromised a VPN the companies had used for remote access to their network – including a software that gives operators remote command over equipment like circuit breakers.
Looking at the attackers’ methods, Lee began to form a notion of whom he was up against. He was alerted to a group known in the cyber security world known as Sandworm. In 2014, the security firm FireEye had issued warnings about a team of hackers that was planting BlackEnergy malware on targets that included Polish energy firms and Ukrainian government agencies. All signs indicated that the hackers were Russian: FireEye had traced one of Sandworm’s distinctive intrusion techniques to a presentation at a Russian hacker conference.
Most disturbing of all for American analysts, Sandworm’s targets extended across the Atlantic. Earlier in 2014, the US government reported that hackers had planted BlackEnergy on the networks of American power and water utilities. Working from the government’s findings, FireEye had been able to pin those intrusions, too, on Sandworm.
For Lee, the pieces came together. It looked like the same group that had just snuffed out the lights for nearly a quarter-million Ukrainians had not long ago infected the computers of American electric utilities with the very same malware.
The Ukraine attack represented something more than a faraway foreign case study. “An adversary that had already targeted American energy utilities had crossed the line and taken down a power grid,” Lee says. “It was an imminent threat to the United States.”
Soon after, as meeting took place at a Hyatt hotel, a block from the golden-domed Saint Sophia Cathedral. Among those in attendance was the staff from the FBI, the Department of Energy, the Department of Homeland Security, and the North American Electric Reliability Corporation, the body responsible for the stability of the US grid, all part of a delegation that had been assigned to get to the bottom of the Ukrainian blackout. They met with the staff of Kyivoblenergo, the city’s regional power distribution company and one of the three victims of the power grid attacks.
With utmost precision, the hackers had engineered a blackout within a blackout. “The message was, ‘I’m going to make you feel this everywhere.’ Boom boom boom boom boom boom boom,” Assante says, imagining the attack from the perspective of a bewildered grid operator. “These attackers must have seemed like they were gods.”
In 2016, there was another attack to Ukraine’s grid, taking down the distribution stations that branched off into capillaries of power lines. A single Kiev transmission station carried 200 megawatts, more total electric load than all the 50-plus distribution stations knocked out in the 2015 attack combined. Luckily, the system was down for just an hour. The Ukrenergo engineers were able to manually close circuits and bring everything back online before pipes started freezing and the locals started panicking. Ukrainian security officials say they’ve linked the 2016 attack to the same hackers who hit regional power utilities in 2015. The attackers this time came a step closer to building a fully automated grid-killing weapon, capable of breaking circuits on cue.
For the first time in history, Robert Lee pointed out that a group of hackers had shown that it was willing and able to attack critical infrastructure. They have already planted BlackEnergy malware on the US grid once before. “The people who understand the US power grid know that it can happen here,” Lee says.
A future breach might target not a distribution or transmission station, but an actual power plant. An attack could be designed not simply to turn off equipment, but to destroy it. It is possible that someone could permanently disable power-generation equipment or the massive, difficult-to-replace transformers that serve as the backbone of our transmission system, “Washington, DC? A nation-state could take it out for two months without much issue,” Lee says.
The American cyber security community often talks about “advanced persistent threats” – sophisticated hackers who don’t simply infiltrate a system for the sake of one attack, but stay there, silently keeping their hold on a target. In his nightmares, Lee says, American infrastructure is hacked with this kind of persistence: transportation networks, pipelines, or power grids taken down again and again by deep-rooted adversaries. “If they did that in multiple places, you could have up to a month of outages across an entire region. Tell me what doesn’t change dramatically when key cities across half of the US don’t have power for a month,”
It is one thing to contemplate what an actor like Russia could do to the American grid; it’s another to contemplate why. A grid attack on American utilities would almost certainly result in immediate, serious retaliation by the US.
Some cyber security analysts argue that Russia’s goal is simply to hem in America’s own cyberwar strategy: By turning the lights out in Kiev – and showing that it’s capable of penetrating the American grid – Moscow sends a message warning the US not to try a Stuxnet-style attack on Russia or its allies, like Syrian dictator Bashar al-Assad. In that view, it’s all a game of deterrence.
Lee, who was involved in war-game scenarios during his time in intelligence, believes Russia might actually strike American utilities as a retaliatory measure if it ever saw itself as backed into a corner – say, if the US threatened to interfere with Moscow’s military interest in Ukraine or Syria.
American power companies have already learned from Ukraine’s victimization, says Marcus Sachs, chief security officer of the North American Electric Reliability Corporation. Sachs said, “It would be hard to say we’re not vulnerable. Anything connected to something else is vulnerable. To make the leap and suggest that the grid is milliseconds away from collapse is irresponsible.”
For those who have been paying attention to Sandworm for almost three years, raising an alarm about the potential for an attack on the US grid is no longer crying wolf.
For John Hultquist, head of the team of researchers at FireEye that first spotted and named the Sandworm group, the wolves have arrived. “We’ve seen this actor show a capability to turn out the lights and an interest in US systems,” Hiltquist says.
Yasinsky says there is no way to know exactly how many Ukrainian institutions have been hit in the escalating campaign of cyber attacks. The attacks, Yasinsky has noticed, have settled into a seasonal cycle: During the first months of the year, the hackers lay their groundwork, silently penetrating targets and spreading their foothold. At the end of the year, they unleash their payload. Yasinsky knows by now that even as he’s analyzing last year’s power grid attack the seeds are already being sown for 2017’s December surprises. Yasinsky thinks that what Ukraine has faced for the past three years may have been just a series of practice tests. He believes the attackers’ intentions until now can be summed up in one single Russian word: polygon – A training ground. Even in the most damaging attacks, the hackers could have gone further. They could have destroyed more than just stored data, but its backups too. The American analysts like Assante and Lee noted that they could have caused more permanent , physical harm to the grid, but they believe as Yasinsky said, “They’re still playing with us.”
Ukraine is not France or Germany. Lots of Americans can’t even fine it on a map, so it is a great place for Russian hackers to practice.
At a meeting of diplomats in April, US secretary of state Rex Tillerson went so far as to ask, “Why should US taxpayers be interested in Ukraine?”
In that shadow of neglect, Russia isn’t only pushing the limits of its technical abilities, it is also feeling out the edges of what the international community will tolerate. Russian hackers turned off the power in Ukraine with impunity.
Thomas Rid, a professor in the War Studies department at King’s College London said, “They’re testing out red lines, what they can get away with. You push and see if you’re pushed back. If not, you try the next step.”
What will the next step look like?
Yasinsky admits he doesn’t know. He says, “It’s a medium, and that medium connects, in every direction, to the machinery of civilization itself.”
When will they turn the lights out in America?
That’s the million-dollar question!
Summarized from an article written by Andy Greenberg for WIRED magazine/July 2017.