Russian hackers who pose threat to US election have breached nuclear plants, power grid in the past

The timing of the attacks so close to the election and the potential for disruption set off concern inside private security firms, law enforcement and intelligence agencies

The New York Times October 24, 2020 17:18:57 IST
Russian hackers who pose threat to US election have breached nuclear plants, power grid in the past

People wear masks as they wait in line during early voting at Park Ridge City Hall in Park Ridge, Illinois. AP

Cybersecurity officials watched with growing alarm in September as Russian state hackers started prowling around dozens of American state and local government computer systems just two months before the election.

The act itself did not worry them so much — officials anticipated that the Russians who interfered in the 2016 election would be back — but the actor did. The group, known to researchers as “Dragonfly” or “Energetic Bear” for its hackings of the energy sector, was not involved in the 2016 election hacking. But it has in the past five years breached the power grid, water treatment facilities, and even nuclear power plants, including one in Kansas.

It also hacked into Wi-Fi systems at San Francisco International Airport and at least two other West Coast airports in March in an apparent bid to find one unidentified traveler, a demonstration of the hackers’ power and resolve.

September’s intrusions marked the first time that researchers caught the group, a unit of Russia’s Federal Security Service, or FSB, targeting states and counties. The timing of the attacks so close to the election and the potential for disruption set off concern inside private security firms, law enforcement and intelligence agencies.

“One possible explanation is that they are calling in the real pros — the A-Team — who is used to operating in this really sensitive critical infrastructure where you want to keep quiet until you don’t,” said Suzanne Spaulding, the former undersecretary for cybersecurity and critical infrastructure at the Department of Homeland Security.

In 2016, Russian hackers from other groups were unusually noisy in their efforts to penetrate some state election databases. “You could argue they didn’t care about being quiet,” Spaulding said. But now that Russia has been called out and punished for interfering in the election, President Vladimir Putin “may want to keep this quiet until the circumstances are set for their use in information operations”, she added.

American officials described the hackings in an advisory on Thursday as “opportunistic,” rather than a clear attack on the election infrastructure, but conceded the group had targeted dozens of state and local systems and stolen data from at least two targets’ servers.

“They’re broadly looking to scan for vulnerabilities and they’re working opportunistically,” said Christopher C Krebs, the director of the Cybersecurity and Infrastructure Security Agency, which issued the warning along with the FBI.

That hardly reassured researchers who have tracked Energetic Bear for years. “This appears to be preparatory, to ensure access when they decide they need it,” said Adam Meyers, the head of threat intelligence at CrowdStrike, a security firm that has monitored the group.

Energetic Bear typically casts a wide net, then zeroes in on a few high-value targets. In Germany and the United States, the group has infected websites popular in the energy sector, downloading malware onto the machines of anyone who visited the sites, then searching for employees with access to industrial systems.

In other attacks, it has hijacked the software updates for computers attached to industrial control systems. It has also blasted targets with phishing emails in search of employees, or co-workers, who might have access to critical systems at water, power, and nuclear plants.

Russian hackers who pose threat to US election have breached nuclear plants power grid in the past

A file image of an election worker arranging returned ballots from a sorting machine at the King County Elections office in Renton, Washington. US officials recently said that Russian hackers have targeted the networks of dozens of state and local governments in the United States in recent days, stealing data from at least two servers. AP

And it has done so with remarkable success. A disturbing screenshot in a 2018 Department of Homeland Security advisory showed the groups’ hackers with their fingers on the switches of the computers that controlled the industrial systems at a power plant.

The group has thus far stopped short of sabotage but appears to be preparing for some future attack. The hackings so unnerved officials that starting in 2018, the US Cyber Command, the arm of the Pentagon that conducts offensive cyberattacks, hit back with retaliatory strikes on the Russian grid.

Some called the counterattacks the digital era’s equivalent of mutually assured destruction. But any hope that US officials had that their strikes would deter Russia dissipated when the group started targeting American airports in March.

Officials at San Francisco International Airport discovered Russia’s state hackers had breached the online system that airport employees and travelers used to gain access to the airport’s Wi-Fi. The hackers injected code into two Wi-Fi portals that stole visitors’ user names, cracked their passwords, and infected their laptops.

The attack began on 17 March and continued for nearly two weeks until it was shut down. By then, officials at two other airports discovered their Wi-Fi portals had also been compromised. Researchers would not name the other victims, citing nondisclosure agreements, but said they were on the West Coast.

As pervasive as the attacks could have been, researchers believe Russia’s hackers were interested only in one specific person traveling through the airports that day.

“Ostensibly, hundreds of thousands of people could have been compromised,” said Eric Chien, a cybersecurity director at Symantec, who examined the attack. “But only 10 were.”

Chien’s team discovered that the hackers were “fingerprinting” the machines of anyone who logged onto the Wi-Fi network in search of one older version of Microsoft’s Internet Explorer browser. If they found a match, the hackers infected those laptops. If the Wi-Fi visitors used any other browser, the hackers left them alone.

“From what we could see, they were going after a specific individual,” Chien said.

In the government alert on Thursday, officials said that the Russian group was again targeting aviation systems. It did not name the targets but did suggest in some technical language that one could have been the airport in Columbus, Ohio.

In a previous homeland security warning about the group, officials said it “targets low security and small networks to gain access and move laterally to networks of major, high-value asset owners within the energy sector".

Security researchers warned that the spate of attacks on American state and local systems could mirror the trajectory of those attacks: Russia’s hackers using their foothold in seemingly random victims’ networks to mine for more interesting targets closer to the election on 3 November. They could take steps like pulling offline the databases that verify voters’ signatures on mail-in ballots or given their particular expertise, shutting power to key precincts.

“The most disconcerting piece is that it demonstrates Russia’s intent and ability to target systems near and dear to us, but that shouldn’t surprise us,” said Frank Cilluffo, the director of Auburn University’s McCrary Institute for Cyber and Critical Infrastructure Security.

By deputising the FSB’s stealthiest infrastructure hackers to target state and local systems, some security experts believe Russia may be hedging its bets.

If, for example, Putin believes US president Donald Trump will be re-elected and wants to forge a better relationship with the United States, he may want to limit the degree to which Russia is seen as interfering.

Likewise, the experts said, if former Vice President Joe Biden, the Democratic nominee, is elected, Russia may try to use its foothold in the systems to weaken or delegitimise him, or it may hold back so as not to provoke the new administration.

“By doing this more quietly, you give yourself more options,” Spaulding said.

Campbell Robertson, Edgar Sandoval, Lucy Tompkins and Simon Romero c.2020 The New York Times Company

Updated Date:

Find latest and upcoming tech gadgets online on Tech2 Gadgets. Get technology news, gadgets reviews & ratings. Popular gadgets including laptop, tablet and mobile specifications, features, prices, comparison.

also read

Donald Trump recycles unsubstantiated voter fraud claims as Joe Biden's inauguration nears
World

Donald Trump recycles unsubstantiated voter fraud claims as Joe Biden's inauguration nears

Trump's remarks raised questions about how far he may go in his campaign to overturn Biden’s win, including whether he might press Republicans in Congress to block certification of the vote

Donald Trump says he will leave White House if electoral college votes for president-elect Joe Biden
World

Donald Trump says he will leave White House if electoral college votes for president-elect Joe Biden

Trump has so far defied tradition by refusing to concede defeat, instead launching legal attempts to challenge the outcomes in several states such Pennsylvania and Michigan

Federal court rejects Donald Trump's election lawsuit in Pennsylvania, says 'calling vote unfair doesn't make it so'
World

Federal court rejects Donald Trump's election lawsuit in Pennsylvania, says 'calling vote unfair doesn't make it so'

The US president's lawyers have vowed to appeal to the Supreme Court despite the federal appeals court's assessment that the 'campaign's claims have no merit'