29 March 2018 (Amsterdam, The Netherlands) – On June 13, 2017, Attorney General Jeff Sessions testified to the Senate Intelligence committee about Russian interference in the 2016 presidential election. After fielding hours of questions about his knowledge of the plot, Sessions was greeted by an abrupt change in topic from Senator John McCain. “Quietly, the Kremlin has been trying to map the United States telecommunications infrastructure,” McCain announced, and described a series of alarming moves, including Russian spies monitoring the fiber optic network in Kansas and Russia’s creation of “a cyber weapon that can disrupt the United States power grids and telecommunications infrastructure.”When McCain asked if Sessions or the government had a strategy to counter Russia’s attacks, Sessions admitted they did not.
In a normal year, McCain’s inquiries about documented, dangerous threats to U.S. infrastructure would have dominated the news. His concerns are well founded: in recent years, Ukraine’s power grid has been repeatedly hacked in what cybersecurity experts believe was part a test run for the United States. Russian hackers have also hacked many centers of U.S. power, including the State Department, the White House, and everyone with a Yahoo email address in 2014, the Department of Defense in 2015, and, of course, the Democratic National Committee, Republican National Committee, state and local voter databases, and personal email accounts of various US officials in 2016.
But in the summer of 2017 the role of hacks in the 2016 election was the media firestorm (much as the media firestorm today is over Facebook and Cambridge Analytica). The hacks of other U.S. institutions and infrastructures have been largely ignored by the Trump administration, even as the hacking became more aggressive throughout 2017, and into 2018.
NOTE TO READERS: my series on Facebook/Cambridge Analytica will continue with Part 4 next week which is a dive into the software code and technology processes at work. You can read Parts 1, 2 and 3 by clicking here.
Just this past week alone we have seen these U.S. infrastructure attacks:
- * Atlanta city services paralyzed due to ransomware attack
- * Baltimore 911 dispatch system hacked
- * Boeing hit by serious virus, metastasizing quickly
“The Russian cyber attacks on critical infrastructure: an example” …
The government’s attention did change a bit a few weeks ago when the U.S. Department of Homeland Security and the FBI warned that the so-called “Dragonfly” hackers (more on Dragonfly in Part 3) were linked to the government of Russia and were engaged in a “multi-stage intrusion campaign” against U.S. critical infrastructure, including the energy, nuclear, aviation and manufacturing sectors. In a joint Technical Alert, the two agencies said that the campaign dates back to “at least” March 2016 and involves multiple U.S. critical infrastructure sectors. Firms were targeted with spear phishing emails, watering-hole web site attacks and more, with hackers compromising and then conducting reconnaissance on victims’ networks.
The announcement came on the same day that the U.S. Treasury Department announced expanded sanctions on Russian “cyber actors” for attacks on the U.S. 2016 elections and other cyber attacks including the release of the NotPetya malware in June 2017, an act that both the U.S. and U.K. governments attributed to Russia.
Upon detailed investigation it would later become clear that these attacks were multifaceted and had been planned far in advance. Preparation included, among other things:
- detailed reconnaissance to understand a power grid system’s management software
- theft of log-in credentials of worker working from home
- writing of specific firmware (that is, hard-coded) updates for the remote-operated breakers that would render them unusable, and
- a possible use of denial-of-service attacks that could effectively disable the customer service center and prevented customers from reporting outages and therefore hampered
Although not used in this case, the Russians often use a technique that completely wipes out the victim’s computers, rendering them unusable in the future.
Last year at the Ukraine cybersecurity event I noted above, I was told it took just twenty-one lines of code to physically destroy a power generator (since such time the lines of necessary code have been reduced) and the Russian attackers can easily undertake something similar if they had wanted to be more efficient and less visible.
But they don’t. According to David Grout of FireEye, the purpose of many attacks are often pure messaging: the attackers want to be seen and identified and do not really want to inflict catastrophic long-lasting damage. I have a video interview with David posting in a few weeks, a literal “masterclass” in understanding cybersecurity.
And in the case of the U.S. attacks as noted in many public media sources, the Russians use a malware called BlackEnergy which has been found all over the U.S. power grids and long been suspected as being a pre-deployed Russian cyber weapon hiding in place to be used against the U.S. in case of hostilities. When I researched the Ukraine cyberattack from a few years ago that resulted in a country-wide electrical blackout, I found a statement from Admiral Michael Rogers, then head of the NSA and USCYBERCOM, who noted an attack on the U.S. power grid was not a “doom and gloom possibility, but an eventuality. They can do it.”
“And it is not just power grids, telecommunication grids and the like” …
Dana Tamir noted the following:
When we buy groceries at the supermarket, most of us check the ingredients and expiration dates of packaged goods. But how can we be sure that the products we bring home are safe to eat and drink? Naturally, food and beverage [F&B] manufacturers have a vested interest in ensuring the quality and safety of their products. The impact of a tainted product reaching the market can be devastating, both in terms of public health and brand reputation. In fact, recent FDA rules require companies to implement mitigation strategies aimed at protecting food against intentional adulteration.
What she is addressing is the fact that food safety can be compromised by various sources, from disgruntled employees to politically-motivated sabotage and even acts of terrorism. Cyber threats aimed at F&B companies’ Industrial Control Systems (ICS) networks also pose a risk to manufacturing processes and can lead to a wide range of food safety and operational issues. Unfortunately, most F&B companies’ cyber security strategies overlook the risks to their industrial control processes.
Cyber security goes beyond IT security and segmentation of industrial networks – it must also protect the ICS that are at the heart of the F&B manufacturing processes. These systems control production quality and recipe execution, like the mix of ingredients and temperatures at which the food is processed and stored prior to shipping. There have been known unauthorized changes to an ICS controller – due to a sophisticated cyber attack – that controls the production of products and the price of such a successful attack would be enormous.
But the real Russian goal of cyberattack is not technical … it’s psychological! …
While the Ukraine attack I noted above was only somewhat successful as a cyberattack, as an act of information warfare it was enormously effective. And information warfare has always been the dominant Russian interest in the cyber domain. Some perspective from Alexander Klimburg in his book The Darkening Web :
Soviet computer systems nearly played a decisive role in world history. Already in the 1940’s, Soviet engineers had begun to make significant strides in computer science, and by the early 1970s some part of Soviet computing were equal to or even better than their US counterparts. Russian programmers have for decades played vital roles in the development of computing in general. Topcoder.com, a community Web site, has consistently ranked Russia the first nation worldwide in terms of providing sophisticated coders (with China second, Ukraine fifth, and the US only sixth). Indeed, brilliant Russian coders have a reputation of having helped build Silicon Valley.
The Soviet in-depth consideration of “cyber” was markedly different from the western approach to network systems. On its surface, the Russian interest in kibernetika, or “cybernetics”, was heavily informed by the writings of American mathematician who first coined the term. Norbert Wiener’s work was largely ignored in the US for decades many having perceived cybernetics as a minor branch of general system theory. Not so in the Soviet Union, where Wiener was celebrated as a philosopher of renown, somewhere between Gramsci and Hegel. As an MIT colleague once put it, “Wiener is the only man I know who conquered Russia, and single-handed at that”. The influence that Wiener’s cybernetics revolution had on post-Stalinist Russia is simply astonishing.
Alexander’s book is a “must read”. Next week I will post our video interview with him, and our video interview with John Frank of Microsoft, both of whom addressed these issues at the International Cybersecurity Forum in Lille, France.
And I will have more on Norbert Weiner in Part 3, but suffice it to say that unlike Western military concepts of psychological operations, which viewed psychological warfare as a tactical and operational tool, the Soviets saw it as something that could influence the very theater of operations, as well as the politics. From the Soviet perspective, a war could be waged and won — without the other side’s knowing that war had been declared.
But we knew all of this … and many did not pay attention!
Russia’s view of the importance of information as a weapon was made clear in 2000, with the publication of the Information Security Doctrine. In this key document (I have an English translation) the presumed Kremlin authors clearly outlined two types of “informational” attacks, technical and psychological:
- Technical attacks include hacking, electronic warfare, and other activities most Westerners would associate with cyber operations.
- But more important are psychological attacks : the document repeatedly cites “foreign propaganda” – which can also work through inner Russian “agents” – as a threat to the “spiritual renewal of Russia”. Other threats to the nation’s well-being include “uncontrolled expansion of the foreign media sector in the national information space” as well as the activities of journalists, NGOs, and even missionaries and religious institutions.
It is interesting to note that the word “media” appears in the document exactly twenty-three times. It is conceived as a strategic asset in favor of Russian policy – a strategic weapon that should also “explain to foreign audiences the goals and major thrust areas in the Russian Federation’s state policy and its view of socially significant events in Russian and international life”. Time and time again, the document references the threats of disinformation and covert information influence and the consequences that they could have.
And it tracks the “guidebooks” used by the Russian disinformation cybernauts that define their work as:
designed … to drive wedges in the Western community alliances of all sorts, particularly NATO, to sow discord among allies to weaken the US in the eyes of the people in Europe, Asia, Africa, Latin America, and thus to prepare ground in case the war really occurs.
The most common subcategory of active measures is dezinformatsiya or “disinformation”: feverish, if believable lies cooked up by Moscow Centre and planted in friendly media outlets to make democratic nations look sinister.
Russia has spent decades tinkering with doctrines related to “information warfare”. I will close this Part with a fascinating presentation made in in 1997 by Vladimir Markomenko, then deputy director of FAPSI (then the signals intelligence agency and NSA equivalent) and outlined in Klimburg’s book. Markomenko defined the Russian view of “information war” along four dimensions:
- information warfare-electronic warfare
- intelligence
- hacker warfare, and
- psychological warfare
All were put on display in Russia’s conflict in Ukraine nearly twenty years later. We are going to come back to Markomenko’s presentation and the Ukraine attack in Part 3. But next, in Part 2, a brief history of Russian cyber war development
Make no mistake. What we have here is clearly cyber-espionage of the most sophisticated variety.