The Biden administration continues to be on alert for potential Russian criminal or state-backed cyberattacks against critical infrastructure targets in the US – a posture that Washington assumed months ago but that has grown more acute since Russia invaded Ukraine.
The US is “very much on guard” for potential Russian cyberattacks in light of the war, Secretary of State Antony Blinken said Wednesday, adding that the Biden administration had been working to harden the defenses of US organizations and those in Ukraine.
Blinken was referring to months of quiet preparation for Russian hacking capabilities – through classified briefings and closed-door exercises – that have gone on between the Biden administration and US critical infrastructure firms.
US officials continue to say there are “no specific, credible” threats to the US homeland tied to tensions with Russia over Ukraine. But they want US businesses to be mindful that ransomware gangs – or Russian state-backed hackers – could get more aggressive as US relations with Russia hit their lowest point since the Cold War.
“We remain concerned that Russian cybercriminals will target US critical infrastructure with ransomware attacks either in support of the Russian government or to take advantage of the even more permissive operating environment inside Russia,” senior FBI cyber official Cynthia Kaiser told state and local government officials during a call on Tuesday, sources on the call told CNN.
The phone briefing was just the latest in a regular series of calls that the FBI and Department of Homeland Security have held for local government agencies and private firms to remind them to stay vigilant for digital threats.
Kaiser cited a declaration of support for the Kremlin that a prominent Russian-speaking ransomware gang made on Friday amid the war in Ukraine. The hackers later amended their statement, claiming they don’t support any government, but their threat to retaliate against US infrastructure has resonated with US officials.
Regardless of whether Russia-aligned hackers do anything impactful, US officials hope that the extra drilling and risk assessments can make US critical infrastructure firms more secure in the medium term. And it builds on years of work the electric sector and other critical industries have done to become more resilient to physical and hacking threats.
“If Russia pursues cyberattacks against our companies, our critical infrastructure, we are prepared to respond,” US President Joe Biden said last Thursday in denouncing Russia’s invasion of Ukraine.
Within hours of Biden’s speech, the Transportation Security Administration held an exercise with hundreds of US pipeline companies, testing how they would respond to “a scenario of escalating cyber threats as a result of geopolitical tensions,” Jake Rubin, a spokesperson for the American Gas Association, a trade group that helped draw up the exercise, told CNN.
Before the Ukraine crisis, the White House had encouraged US electric utilities serving tens of millions of customers to adopt more cyber defensive tools – the first in a series of “100-day plans” to try to improve cybersecurity in key sectors.
That work came about, in part, because US officials weren’t seeing enough investment in threat-detection capabilities for industrial control systems, which firms use to deliver key commodities like fuel, Mark Bristow, a CISA official, said on a February 14 webinar.
Simply trading data on threats – rather than having a fuller picture of what hacking groups are trying to do – “isn’t going to help” in scenarios when “adversaries are using their A game,” Bristow said.
Now, the National Security Agency and US Cybersecurity and Infrastructure Security Agency are drawing on intelligence from those sensors to track hacking threats.
The idea is that the NSA can pass along intelligence indicating that, for example, a foreign hacking group is probing for vulnerabilities in electric equipment, said Robert M. Lee, CEO of cybersecurity firm Dragos, whose technology has been adopted by some of the utilities.
A reminder of the potential threat came in December, as Russia continued to mass troops along Ukraine’s border in the lead up to the invasion.
That month, a hacking group that caused a Saudi petrochemical plant to shut down in 2017, had probed the computer networks of US electric utilities that operate liquified natural gas facilities, cybersecurity researchers previously told CNN. The Treasury Department in 2020 sanctioned a Russian government institute for its alleged involvement in the 2017 incident.
The probing of US utilities in December did not lead to any compromises, but it underscored what’s at stake in the fight to secure American infrastructure – and the progress operators are making in having better visibility of those threats.
“It’s a bit of a cat and mouse team because we constantly need to evolve those things to keep up with the latest techniques that the adversaries are using,” said Manny Cancel, who heads the Electricity Information Sharing and Analysis Center, a threat-sharing hub for North American utilities.
CNN’s Zachary Cohen contributed to this story.