On 23 December 2015, a major power cut in the Ivano-Frankivsk region of Western Ukraine caused 230,000 residents to descend into darkness. The outage lasted for less than six hours but its significance was to resonate far longer.
The blackout marked the first ever cyber attack to successfully take down a power grid and followed months of hackers covertly carrying out reconnaissance of the network's control systems. Two and a half years later, the threat of further attacks continues to hum over electrical infrastructure around the world, with computer experts warning that similar attacks on Western infrastructure would put lives at risk.
The latest hacking victim is the US, with a Department of Homeland Security (DHS) official disclosing this week that control rooms of electrical utilities had been infiltrated by hackers working for Russia – the same country Ukraine blamed for the 2015 attacks.
An analyst at the agency said the hackers claimed “hundreds of victims” and had the potential to cause blackouts across the country last year, according to The Wall Street Journal, who first reported the claims from a federal briefing. It is not the first time the US has accused Russia of carrying out a hacking campaign against critical infrastructure, with a joint report by the FBI and DHS in March claiming Russian-backed intrusion.
Russia has denied the Ukraine attacks, as well as the claims by the US, and no proof has been offered by either victim to fully implicate Russia. But regardless of the source of the attacks, computer experts have largely dismissed the possibility of an immediate threat, as suggested in the most recent report.
Robert Lee, a former National Security Agency (NSA) cyber expert who was consulted during the investigation into the 2015 Ukraine attacks, says that language such as “blackouts” misrepresent what happened during the intrusions of the US power grid.
“What we observed between 2016 and 2017, which is the time period the DHS is referring to, was essentially reconnaissance,” Lee, who now works as the head of the cyber security firm Dragos, tells The Independent. “The adversaries were stealing sensitive information such as screenshots of sensitive screens and components in the industrial networks. It was alarming but would not have resulted in blackouts or the scenarios being described.”
The type of information gathered is useful for hackers in the preliminary stages of developing such attacks, and officials fear that attacks on Ukraine systems may have served as a dry run for a much more severe attack on the US.
Cyber warfare has become another attack vector for nation states beyond the traditional air, land and sea routes of conflict. The pervasiveness of the internet and the reliance on web-connected systems means this type of activity is “simply the new reality” for interconnected societies, according to Ross Rustici, a senior director at Boston-based cyber sercurity firm Cybereason.
The approach has the benefit of being secretive, destructive and incredibly disruptive – all at a fraction of the cost of traditional warfare. Beyond power grids, hackers could inflict huge damage to sewage and water treatment systems, industrial chemical production plants, or even transportation systems.
Access to control systems could allow hackers to not simply shut down critical infrastructure, but cause physical damage – from causing explosions by overloading power plants, to flooding cities with sewage by reversing pumps.
“These systems are poorly defended and have the largest capacity for real world effects,” Rustici tells The Independent. He warns: “The next true interstate war will include these types of actions and right now there isn’t a single country that has sufficient defences to prevent a determined adversary from being successful.”
Ofer Maor, director of solutions management at Synopsys, adds: “It is hard to set a limit on the potential damage hacking industrial control systems can lead to... Imagining an attack that causes a blackout is simple, but imagine a case where a vulnerability in a power plant’s control system can be used to bypass load limitations, driving the power plant to work overtime, leading to an explosion, or reversing a sewer pump to overflow sewers across an entire city.”
It is an issue that global cyber security consultancy firm Coalfire has been monitoring, with the company’s UK managing director saying that this end goal may well have been the motivation of the hackers.
“It’s impossible to rule out cyber warfare, given that it’s hands-down a more cost effective theatre of battle,” Barratt tells The Independent. “Nation states or other organisations no longer need to deploy a nuclear sub to a country’s coastline when they can either take down sections of its energy grid, or worse, override safety features and cause explosions or other damage within production plants.”
The other possibility is that commercial cyber criminals were behind the attacks, who look to profit from information gathered by either extorting the victims or selling it as active intelligence to more dangerous threat actors through black markets on the dark web.
It is within these shady forums that hackers backed by nation-states could obtain them in order to inflict serious harm on rival states through coordinated attacks on critical infrastructure.
“Whether it’s power grids or other vital infrastructure, these systems are a matter of life and death and you don’t need a wild imagination for attacks on them to start sounding like the plot of a Hollywood blockbuster,” Barratt says. “If these were attacked, the reality could be very severe. Lives would be at risk.”
But what are Russia’s intentions? Disruption and doubt has frequently been a weapon deployed by the Kremlin against the US, though it comes in a myriad of guises: from Twitter bots aimed at amplifying Donald Trump’s presidential campaign, to Vladimir Putin’s dismissal of US diplomats from Moscow.
This strategy is part of a theory of modern warfare first laid out in 2013 by General Valery Gerasimov, chief of staff of the Russian Armed Forces. In a 2,000-word article published in a military trade magazine, Gerasimov described a change in doctrine from large-scale traditional warfare to a hybrid, “asymmetrical” approach that effectively hacks an enemy’s society rather than carry out a direct physical attack.
“Long-distance, contactless actions against the enemy are becoming the main means of achieving combat and operational goals,” Gerasimov wrote. “The very ‘rules of war’ of changed. The role of nonmilitary means of achieving political and strategic goals has grown, and, in many cases, they have exceeded the power of force of weapons in their effectiveness.”
Gerasimov’s article was published just one year before cyber security researchers first outlined the mysterious Fancy Bears hacking group, which some analysts have since linked to Russia’s intelligence services. In the years since, some of the most high-profile cyber attacks have been linked to the group, targeting everyone from the White House, to French television, to the World Anti-Doping Agency.
The infiltration of US systems by Russian hackers may not even necessarily be a precursor to further attacks. One interpretation of the Gerasimov doctrine would be that the mere knowledge of hackers within such systems creates enough disruption and doubt for it to be a method of warfare in itself.
“It seems safe to assume that even temporary disruption of critical national infrastructure, such as electricity and gas supplies, could have significant and debilitating economic effects,” Luke Somerville, head of special investigations at cyber security firm Forcepoint, tells The Independent. “This is the case even if it’s not combined with more ‘traditional’ forms of warfare.”
But beyond Ukraine, and despite the presence of nefarious hackers within critical infrastructure systems, Cybereason director Rustici estimates that squirrels cause more power disruptions than hacking.
Whether a serious attack is imminent is a matter only intelligence services are likely to know for sure, though experts warn that any major attack would either precede or be part of an all-out war between nations.
“The likelihood of this type of activity causing a major disruption is very low,” Rustici says. “This is a capability that a country should only contemplate using in times of war because there is no walking back from this type of action.”