Click to see full-size image
The US was ramping up alleged digital attacks on Russia’s power grid “in a warning to President Vladimir V. Putin,” the NYT reported citing mostly anonymous current and former government officials.
According to the outlet, interviews conducted over the last three months described a previously unreported deployment of US computer code inside Russia’s power grid and other targets. The alleged move was a classified accompaniment to more publicly discussed action directed at Moscow’s alleged hacking and disinformation attempts surrounding the US 2018 midterm elections.
Anonymous advocates of the alleged strategy said that it had been long overdue after years of warnings from the Department of Homeland Security and the FBI that Russia had allegedly inserted malware that could sabotage American power plants, oil and gas pipelines, or water supplies in any future conflict with the United States.
These moves could escalate the “daily digital Cold War between Washington and Moscow.”
The Trump administration refused to provide any details on what the US Cyber Command, with its new authorities is undertaking.
On June 11th, US National Security Adviser, John Bolton, said the US was now taking a broader view of potential digital targets as part of an effort “to say to Russia, or anybody else that’s engaged in cyberoperations against us, ‘You will pay a price.’”
The unnamed officials claimed that since “at least 2012,” the US has been putting reconnaissance probes into the control systems of the Russian electricity grid.
Now the game has allegedly changed, with the US taking on the offensive and placing potentially crippling malware inside the Russian system “at a depth and with an aggressiveness that had never been tried before. It is intended partly as a warning, and partly to be poised to conduct cyberstrikes if a major conflict broke out between Washington and Moscow.”
The commander of US Cyber Command, Gen. Paul Nakasone is a hawk, quite vocal about the need to “defend forward” deep in an adversary’s networks, simply to demonstrate that the US would respond to online attacks aimed at it.
In an undisclosed document – the National Security Presidential Memoranda 13, in summer 2018 US President Donald Trump gave new authorities to the US Cyber Command. Specifically, these allow General Nakasone’s unit to conduct offensive operations without presidential approval.
But the action inside the Russian electric grid appears to have been allegedly conducted under new legal authorities, that were introduced with the military authorization bill, passed by Congress in 2018.
The provision approved the routine conduct of “clandestine military activity” in cyberspace, to “deter, safeguard or defend against attacks or malicious cyberactivities against the United States.”
Under the law, those actions can now be authorized by the defense secretary without special presidential approval.
One anonymous intelligence official claimed that it had got much more aggressive over the past year.
“It has gotten far, far more aggressive over the past year. We are doing things at a scale that we never contemplated a few years ago.”
There is no official confirmation of the operation, and the alleged depth reached by the alleged US malware.
Both General Nakasone and Mr. Bolton, through spokesmen, declined to answer questions about the incursions into Russia’s grid.
On June 11th, Bolton further said that “We thought the response in cyberspace against electoral meddling was the highest priority last year, and so that’s what we focused on. But we’re now opening the aperture, broadening the areas we’re prepared to act in.”
“We will impose costs on you until you get the point.”
Two unnamed administration officials said that Trump hadn’t been briefed at all on the alleged steps to place probes in Russia’s power grid.
Department of Defense and intelligence officials are allegedly wary of sharing information such as this to Trump, because he might request to not undertake actions against Russia or discuss it with foreign officials, such as mentioning a sensitive Syrian operation to Russian Foreign Minister Sergey Lavrov in 2017.
The anonymous sources offered two separate opinions on the operation:
- A signaling for Russia;
- Prime the US for a possible response if “Putin became more aggressive.”
“It’s 21st-century gunboat diplomacy,” said Robert Chesney, a law professor at the University of Texas, who has written extensively about the shifting legal basis for digital operations. “We’re showing the adversary we can inflict serious costs without actually doing much. We used to park ships within sight of the shore. Now, perhaps, we get access to key systems like the electric grid.”
Separately, or maybe not, the Xenotime hacker group appears to be probing the US power grids.
Security firm Dragos said that Xenotime has been performing network scans and reconnaissance on multiple components across the electric grids in the US and in other regions. Sergio Caltagirone, senior VP of threat intelligence at Dragos, told Ars his firm has detected dozens of utilities—about 20 of them located in the US—that have been subjected to Xenotime probes since late 2018.
“The threat has proliferated and is now targeting the US and Asia Pacific electric utilities, which means that we are no longer safe thinking that the threat to our electric utilities is understood or stable,” he said in an interview. “This is the first signal that threats are proliferating across sectors, which means that now we can’t be certain that a threat to one sector will stay in that sector and won’t cross over.”
“The scale of the operation, the number targeted and the regions being targeted,” Caltagirone said, “shows more than just a passing interest in the sector.”
Xenotime’s first reported attack happened in March 2018 and it targeted Saudi Arabia’s oil refinery Petro Rabigh and an SIS product line known as Triconex made by Schneider Electric. An analysis of the Triton malware showed its developers have performed extensive reverse engineering of the product.
It is unclear who Xenotime are and where they operate from, but FireEye assessed that the malware that attacked the Saudi refinery was highly likely developed with the help of the Central Scientific Research Institute of Chemistry and Mechanics in Moscow.
Russia has been tied to other critical infrastructure attacks, including one in December 2015 on regional power authorities in Ukraine that left hundreds of thousands of people in the Ivano-Frankivsk region of Ukraine without electricity.
That alleged attack represented the first known hacker-caused power outage. And almost exactly one year later, a second hack allegedly tied to Russia took out power in Ukraine again.
MORE ON THE TOPIC:
