Cyber ​​attacks put Russian fingers on the switch in power plants, says EE. UU

The American intelligence agencies were aware of the attacks during the last year and a half, and the Department of Homeland Security and the F.B.I. first issued urgent warnings to utility companies in June. On Thursday, both agencies offered new details when the Trump administration imposed sanctions against Russian individuals and organizations accused of electoral meddling and "malicious cyber attacks."

It was the third time in recent months that the White House, departing from its usual reluctance to publicly reveal intelligence, blamed foreign government forces for attacks on infrastructure in the United States.

In December, the White House said that North Korea had carried out the so-called WannaCry attack that hit Britain and many other countries. Last month, he accused Russia of being behind the NotPetya attack on Ukraine last June, the largest of a series of cyber attacks in Ukraine to date, paralyzing government agencies and the country's financial systems.

But the sanctions have been light. So far, Trump has said little or nothing about Russia's role in those attacks.

The groups that carried out the energy attacks, which are linked to the Russian intelligence agencies, appear to be different from the two piracy groups that participated in the electoral interference.

That would suggest that at least three separate Russian cyberoperations were running simultaneously. One focused on stealing documents from the Democratic National Committee and other political groups. Another, by a "farm of trolls" of St. Petersburg known as the Internet Research Agency, used social networks to sow discord and division. A third effort sought to enter the infrastructure of the American and European nations.

For years, US intelligence officials tracked down several piracy units sponsored by the Russian state by successfully penetrating computer networks of critical infrastructure operators in North America and Europe, including in Ukraine.

Continue reading the main story

Some of the units worked within the Federal Security Service of Russia, the K.G.B. successor known by its Russian acronym, F.S.B.; others were integrated into the Russian military intelligence agency, known as G.R.U. Still others were formed by Russian contractors who worked at the behest of Moscow.

But the sanctions announced on Thursday marked the first time officials officially named Russia as the perpetrator of the attacks.

Russian cyber attacks increased last year, beginning three months after Mr. Trump took office.

US officials and private cybersecurity experts uncovered a series of Russian attacks targeting the energy, water and aviation sectors and critical manufacturing, including nuclear power plants, in the United States and Europe. In its urgent report in June, the Department of National Security and the F.B.I. they notified the operators about the attacks but failed to identify Russia as the culprit.

By then, Russian spies had compromised the commercial networks of several US power, water and nuclear power plants, designing their corporate structures and computer networks. They included the Wolf Creek Nuclear Operating Corporation, which runs a nuclear plant near Burlington, Kan.

In the case of Wolf Creek and other nuclear operators, however, Russian hackers had not jumped from the company's business networks to plant controls. The forensic badysis suggested that Russian spies were looking for breakthroughs, although it was not clear if the objective was to perform espionage or sabotage or trigger an explosion of some kind.

In a report released in October, the security company Symantec noted that a Russian piracy unit "seems interested in learning how power facilities work and also in gaining access to the operating systems themselves, to the extent that that the group now has the ability to sabotage or control these systems should they decide to do so. "

The United States sometimes does the same. He delved into Iran's infrastructure before the 2015 nuclear agreement, placing digital "implants" in systems that would allow it to tear down power grids, command and control systems and other infrastructure in the event of a conflict. The operation was code-named "Nitro Zeus" and its revelation made it clear that entering the critical infrastructure of adversaries is now a standard element to prepare for a possible conflict.

The Russians have gone further.

In a warning update to utility companies on Thursday, National Security officials included a screenshot taken by Russian operatives who demonstrated that they could now gain access to critical controls on their victims.

Continue reading the main story

"We now have evidence that they are sitting on the machines, connected to the industrial control infrastructure, which allows them to effectively disconnect energy or affect sabotage," said Eric Chien, director of security at Symantec.

As far as we can see, they were there. They have the ability to turn off power. The only thing missing is some political motivation, "Chien said.

US officials and security companies, including Symantec and CrowdStrike, believe that Russian attacks on the Ukrainian electricity grid in 2015 and 2016 left more than 200,000 citizens There in the Darkness is an ominous sign of what Russian cyberattacks can augur in the United States and Europe in case of intensified hostilities.

Private security firms tracked Russian government attacks on energy operators and Western energy, DragonFly names, Energetic Bear and Berserk Bear – since 2011, when they began targeting defense and aviation companies in the United States and Canada.

By 2013, researchers had linked Russian hackers with hundreds of attacks against the energy and oil network and gas pipeline operators in the United States and Europe. Elgas seemed to be motivated by industrial espionage, a natural conclusion at the time, the researchers said, given the importance of Russia's oil and gas industry.

But in December 2015, Russian hackers had taken an aggressive turn. The attacks were no longer aimed at gathering intelligence, but at sabotaging or shutting down the operations of the plant.

At Symantec, researchers discovered that Russian hackers had begun to take screenshots of machinery used in power and nuclear plants, and stealing detailed descriptions of how they worked, suggesting they were conducting reconnaissance for a future attack .

When the US government enacted the sanctions on Thursday, cybersecurity experts were still questioning where the Russian attacks could lead, given that the United States was sure to respond in kind.

Continue reading the main story

"Russia certainly has the technical capacity to do harm, as demonstrated in Ukraine," said Eric Cornelius, a cybersecurity expert at Cylance, a private security company, which previously evaluated critical infrastructure threats for the Department of National Security during the Obama administration.

"It is unclear what his perceived benefit would be to cause damage to US soil, especially given the reprisals it would cause," Cornelius said.

Although it is a big step towards deterrence, publicly naming countries accused of cyber attacks still can not embarrbad them to stop doing so. The United States is struggling to provide proportional responses to the wide variety of cyber espionage, vandalism and direct attacks.

Lt. General Paul Nakasone, who has been nominated as director of the National Security Agency and commander of the US Cyber ​​Command, the military cyberdeployment, said during his confirmation hearing of the Senate this month that the countries that attack the United States so far They have little to worry about.

"I would say that at this moment they do not believe that much happens to them," said General Nakasone. Later he added: "They do not fear us."

Continue reading the main story

Source link