SAN FRANCISCO — It was just before midnight on Dec. 17, 2016, when most of the Ukrainian capital, Kiev, went dark.
A transmission station, a type of power station that transmits high voltage electricity across large areas, had gone down. Vsevolod Kovalchuk, the head of Ukrainian state power grid operator Ukrenergo, explained on his Facebook page that the station had come under an “external attack” lasting roughly 30 minutes.
It was, cybersecurity experts said, the most recent maneuver in Russia’s increasingly aggressive and overt efforts to push the boundaries of modern-day warfare using everything from old-fashioned kompromat, the Russian term for publishing (real or fake) compromising material designed to smear opponents, to malware that blacks out cities.
“The Russians use cyberweapons like they butter bread in the morning. It’s a critical, fundamental component of their global hybrid warfare strategy. They are pushing the envelope on how they use it every day,” said Malcolm Nance, a former counterterrorism and intelligence officer for the US military, intelligence agencies, and the Department of Homeland Security. “Ukraine is just one of many test beds.”
If the world is currently entering a new era of cyberwarfare, Russian hackers are the pirates of those yet-uncharted seas. Nearly every week brings a new cyberattack, as Russia tests the vulnerabilities of countries around the world. From hacking into the emails of senior members of the Democratic Party to defacing the websites of Eastern European political candidates, Russia is being named as the perpetrator of the most audacious cyberattacks in recent years. In some cases, those attacks are acts of espionage, looking to sweep up as much intelligence as possible. In others, Russia is toying with psychological operations, teasing out their geopolitical goals. Just this week, the Department of Justice (DOJ) announced that a 2014 breach of Yahoo, which exposed more than 500 million email accounts, had actually been the work of Russian Federal Security Service (FSB) agents working with cybercriminals — one of the largest email breaches in history, targeting, the DOJ said, the email accounts of a small group of journalists, dissidents, and US government officials.
For years, the world’s top military leadership has been saying that cyberwarfare is simply warfare fought in today’s world. In pushing forward, Russia is testing the limits of what other countries will tolerate as acts of war and setting an example for countries around the world as to what can be accomplished with a military budget roughly one-tenth the size of the United States.
The attack that blanketed Kiev in darkness took place almost a year to the day after the first known attack on an electrical system. In a cyberattack widely attributed to Russian state-sponsored hackers, dozens of power substations in the Ivano-Frankivsk region of Ukraine were disabled, shutting off power to nearly a quarter of a million people. Cybersecurity experts had long theorized that such an attack was possible, but assumed that few countries would be willing to launch such a blatant act of cyberwar for fear of retribution. Now, those same experts are studying the second such attack in 12 months, as it becomes increasingly clear that Russia is using its hackers to achieve key strategic goals — and push its adversaries around with impunity.
Russia's involvement in the
most brazen attack on the US, the email breach of senior Democratic Party
members, resulted in only minor sanctions on Russian officials and the
expelling of 35 Russian diplomats (though the US claims that they are retaliating in other, unseen ways). “Look, we’re moving into a new era here where a number of countries have significant capacities,” Barack Obama, then president, said during a September 2016 appearance at the annual G20 summit in China, just after he had ordered US intelligence agencies to review foreign interference in the US election. Obama added that he had been in discussions with China, as well as Russia, on creating rules for cyberwarfare. “Our goal is not to suddenly, in the cyber arena, duplicate a cycle of escalation that we saw when it comes to other arms races in the past.”
One US intelligence officer currently involved in cyber ops said, “It’s not that the Russians are doing something others can’t do. It’s not as though, say, the US wouldn’t have the technical skill level to carry out those types of attacks. It’s that Russian hackers are willing to go there, to experiment and carry out attacks that other countries would back away from,” said the officer, who asked not to be quoted by name due to the sensitivity of the subject. “It’s audacious, and reckless. They are testing things out in the field and refining them, and a lot of it is very, very messy and some is very smart.”
Cybersecurity experts generally agree that the countries with the largest and most sophisticated cyberwarfare capabilities are the United States, China, and Russia. Nance, who recently wrote The Plot to Hack America, a book examining Russia’s alleged interference in the 2016 election, compared US cyber operations to a precision bullet, handcrafted, repeatedly tested, and produced in duplicate before one is ever used in the field. The US, for example, targeted the centrifuges in an Iranian nuclear facility via Stuxnet, a virus likely built in conjunction with Israel, rather than use
cyberattacks that attacked financial institutions or infrastructure that
would have had widespread impacts on average Iranian citizens. China, while in some ways every bit as audacious and aggressive in its cyber ops as Russia, has thus far remained focused on economic gain, corporate cyber espionage, or the general type of intelligence gathering most countries take part in.
“Russia is using cyber weapons to try and achieve geopolitical goals,” said Nance. “And it is working.”
“Russia is using cyber weapons to try and achieve geopolitical goals,” said Nance. “And it is working.”
The December 2015 attack on the Ivano-Frankivsk region of Western Ukraine cut power to some regions for as long as six hours. The December 2016 one cast much of Kiev in darkness for roughly 75 minutes. Neither is known to have caused injuries or deaths, yet the attacks are still being studied by cybersecurity experts and government bodies across the world.
There are few cyberattacks that inspire as much fear among the general public, as much panic among lawmakers, as those on a country’s source of electricity. Hospitals suddenly left without the power to operate incubators for babies or life-support machines, airports blinded as pilots struggle to land, and major metropolises thrown into a literal pitch blackness are some of the doomsday scenarios that cybersecurity experts have painted if a coordinated attack were to one day be launched on a country’s source of electricity.
“The US is terrified of it,” said Rob Lee, a former cyberwarfare operations officer for the US Air Force and co-founder of Dragos Security, a security company that specializes in critical infrastructure. Lee was part of a team that investigated and produced a report on the 2015 attack on Ukraine’s power grid. “Although a lot of people don’t actually understand what an attack on a power grid means, or what can actually be achieved. There is a huge disconnect between what DC thinks can be done with a power grid and what can actually be done. The effects are more psychological than anything else.”
Even a sophisticated cyberattack would likely only take power out for a half hour to an hour, say cybersecurity experts, and many institutions, such as hospitals or airports, have backup generators and emergency plans in place were they to suddenly lose power.
Russia, say current US intelligence officers, knew the psychological impact even a short-term outage of Ukraine’s power grid would have on officials in the US and Europe, who know they are vulnerable to similar attacks. Four active US intelligence officers who agreed to speak to BuzzFeed News on condition of anonymity regarding the 2015 and 2016 attacks on Ukraine all used the term “game changer.”
“The effects are more psychological than anything else.”
“It’s not that the US can’t defend against it. It’s just that from our point of view, a foreign state being able to take down your power grid — even for 10 minutes — that’s a game changer,” said one of the officers, who like others asked for anonymity because they didn’t have permission to speak publicly about the topic. “That’s why we are studying what happened in Ukraine and trying to learn from it.”
The 2015 cyberattack on Ukraine was achieved by attacking a number of power substations, said Lee.
“About 70 substations were disconnected from the power grid. All of the attacks except one were malware-enabled,” said Lee, whose report details the steps taken by hackers in bringing down the power station. In all but one substation, hackers used spear-phishing emails (emails that appear innocent but include malicious links or malware) as an initial point of entry. It’s a method favored by Russian hackers, say cybersecurity researchers, who say spear-phishing emails were also used to get into the email accounts of senior members of the Democratic Party. In Ukraine, the hackers used the spear-phishing emails to trick computer users at the power stations into downloading a virus called BlackEnergy3.
It was the last substation, however, that was the most interesting, and the most frightening.
In that power station, which Ukrainian officials and cybersecurity researchers declined to name, hackers decided to test a much more complex method. They built a mirror image of the supervisory control and data acquisition system (SCADA), which is used to monitor and control equipment at facilities like power plants. Then, having created a perfect replica of the system being used at the station, they sent through commands that the system accepted as its own.
“Building their own SCADA environment is a complex and time-consuming endeavor,” Lee said. “We highlighted this, when we spoke to national level leaders, to say, ‘Look, this is a test. There is no operational reason to go through that much trouble, to conduct that level of espionage, to just do one substation this way.” The hackers, it appeared, were testing a type of cyberattack that signaled that they not only had the technical expertise to replicate an entire SCADA system, but had conducted the type of cyber espionage on Ukraine where they could piece together the detailed plans of a single power station. “From a cybersecurity perspective, from an industrial control system, that singular attack scared more people than all the other substations that went offline.”
“A foreign state being able to take down your power grid — even for 10 minutes — that’s a game changer.”
One year later, the 2016 attack that targeted Kiev showed all the fingerprints of being a similar type of SCADA attack.
“This is definitely a higher level — it's a transmission-level substation, not distribution-level substation,” Lee said. Attacks on transmission stations, he added, “are the kind of thing we worry about in the US.”
Ihor Huz, a member of the foreign affairs committee in Ukraine’s parliament, told BuzzFeed News there was no doubt that Russia was behind the most recent attack on the power grid. Russia has a long history of meddling in Ukraine, ranging from cutting off gas supplies to Ukraine to moving ground troops into the peninsula of Crimea. The attacks, Huz said, “will last as long as Russia will have the opportunity to support such interference.”
In the three months that have passed since the Kiev attack, cybersecurity experts have studied the methods that were used. Lee said there are few defenses against an opponent who dedicates that amount of time and effort to completely replicate a system. It represents the ideal type of attack for a country like Russia, as it requires very little overhead — other than the time involved in studying the target under attack and replicating it — and achieves maximum impact.
“The best you can do is get it back up quickly,” Lee said. “A power grid is one of the most complex systems ever designed. Attacking it absolutely helps hone your skills. … The message that was sent by taking down power grids was definitely heard in DC and in the White House.”
Headquarters of the FSB in Moscow.
Vasily Maximov / AFP / Getty Images