In the winter of 2015, computer hackers working for the Russian government attacked Ukraine’s power grid and switched off the lights and heat to more than 200,000 consumers.
Last year, a cybercriminal group with operatives in Russia launched a successful ransomware attack on a key East Coast pipeline that forced the company, Colonial Pipeline, to temporarily close the spigot and pay 75 bitcoins – or $4.4 million – to bring it back online. It was the largest cyberattack on an oil facility in US history.
And it was a Russian government lab that built tools used in one of the most dangerous cyber offensives in the history of the digital age, penetrating the control systems of a Saudi petrochemical plant in 2017 for the purpose of setting off an explosion that, had it succeeded, could have killed people.
So established is Russia’s reputation for cyber sabotage that on February 24 – as its troops began rolling into Ukraine – President Joe Biden issued a warning to the country and its autocratic leader, Vladimir Putin.
“If Russia pursues cyberattacks against our companies, our critical infrastructure, we are prepared to respond,” he said during remarks from the White House.
But now, even as the Russian army drops bombs and mortar shells on civilians in hospitals and neighborhoods and its invasion of Ukraine nears its fourth week, no known nightmare cyber scenario — a widespread power outage, a poisoned water system, a crippled supply chain – has come to pass in Ukraine, the US or elsewhere.
To be sure, a ripple of smaller cyberattacks ricocheted through the websites of Ukrainian banks and government agencies just before the invasion, and larger attacks may still be in store for the besieged country of 43 million people.
But the general consensus among the nearly 20 experts who spoke with CNN for this story is that while Russia is well positioned to launch catastrophic cyberattacks on the US, it is not likely to do so.
“We do need to consider this possibility as a low probability but high-impact scenario,” said Paul Prudhomme, the head of threat intelligence advisory at the cybersecurity firm IntSights.
The prospects for a grand-scale cyberattack in America are low, experts say. For one, Putin understands that his country’s cyber capabilities, though formidable, are outmatched by those of the United States, which is generally thought to be the most sophisticated player in the domain.
The federal Cybersecurity and Infrastructure Security Agency told CNN it hasn’t yet received any credible cyber threats resulting from the conflict in Ukraine, but it emphasized that the energy sector has been bolstering its defenses in recent years and is on high alert as it urgently prepares for any attempted breach.
Experts say Russia’s ability to conduct an impactful cyberattack in the US shouldn’t be underestimated.
“If we look at just what they’ve been able to do, there is only, according to public knowledge, one country out there that has any experience taking down electric systems – that’s Russia,” said Robert M. Lee, a cybersecurity expert who investigated the 2015 attack in Ukraine.
Testing the waters
Cyberattacks against the US by Russia are more than merely possible – they’ve been happening for years on a low-grade scale.
The country has been testing the waters in the US, laying the groundwork, experts say, for a much more extensive cyber campaign.
For instance, in 2018, the Department of Homeland Security revealed that a group of state-sponsored hackers from Russia had compromised the networks of multiple US electric utilities the year prior and allowed intruders to gather detailed information on the control systems that US electric utilities use to power American communities.
That same year, the Department of Justice announced the indictments of 12 Russian intelligence officers for carrying out large-scale cyber operations against the Democratic Party in advance of the 2016 presidential election.
Then, in late 2020, came the most advanced cyber-op yet: About 100 organizations around the world – including multiple US government agencies – were revealed to have been breached by Russian hackers who compromised the software provider SolarWinds and exploited their access to monitor internal operations and withdraw data.
Putin has been systematically testing vulnerabilities in Europe and the US for the past four years, and is in a position to cause all sorts of economy-crushing problems, experts say.
“They know how to weaponize these things – they’ve done it,” said Melissa Hathaway, who led cybersecurity initiatives in the presidential administrations of George W. Bush and Barack Obama. “If I need to cause a national crisis in another country, they know how to do this, they’ve systematically been testing the system.”
Prudhomme said a stealthy Russian hacking group called Energetic Bear – which has been tied to Moscow’s Federal Security Service, or FSB – is the most likely Russian third-party, state-sponsored actor to execute any high-level attack.
The group, which industry analysts refer to by several aliases, including “Dragonfly” and “Berserk Bear,” has carried out a number of successful hacks in recent years. In 2017, it targeted a nuclear power plant in Kansas in what cybersecurity experts refer to as a “watering hole”-type attack – a practice where hackers place malicious links on websites frequently visited by employees.
“The group has a history of gaining access and maintaining access to US and European utility companies, but they don’t do anything with it,” Prudhomme said. “They want to have that access ready at a moment’s notice so, if and when they get the order on demand, they can flip the switch.”
In 2020, another state-sponsored Russian group identified by analysts as Cozy Bear, believed to be within Russia’s Foreign Intelligence Service, or SVR, likely orchestrated the SolarWinds hack. US officials said the group used SolarWinds software to breach internal email systems at the US Treasury and Commerce departments, among other key agencies, in what was one of the largest-ever cyber attacks.
But it’s a two-way street. Experts say that while it’s true Russians are lurking in the software of various structural areas, Americans are also lurking in theirs.
It’s the “cyber equivalent of mutually assured destruction,” said Karen Walsh, CEO of a cybersecurity firm called Allegro Solutions, using a term that historically described a philosophy of deterrence during the nuclear standoff of the Cold War.
And the Americans, experts say, are currently the more capable threat.
While Russian cyberattacks tend to attract headlines, experts told CNN, the most sophisticated hacks are often carried out in a more professionalized manner by countries such as the US and Israel, which are good at hiding their tracks. One secret operation that spilled into public view in 2010 was known as Stuxnet, in which the US and Israel are widely believed to have jointly sabotaged a nuclear facility in Iran with a computer virus that temporarily hampered the country’s nuclear program.
Putin, experts say, understands the extent of this sophistication and is likely loath to poke the bear.
“He seems to recognize that that’s a different level of escalation,” Timothy Frye, Columbia professor and author of “Weak Strongman: The Limits of Power in Putin’s Russia,” said of a crippling cyberattack on a major electric utility in the US or another NATO country. “That might be part of the calculations as well.”
Still, some experts say, Europe’s critical infrastructure could be an enticing target for Russia. That’s in part because the continent is far more dependent on Russian oil than the US is.
“I don’t think anyone’s thought through how much control Russia has over the future of Europe,” said Hathaway, now the president of Hathaway Global Strategies.
Putin has been most willing to wreak havoc on the Ukrainian power grid, which the Russians also hacked in 2016 – just a year after shutting off power to more than 200,000 consumers.
Lee said the second attack – which reportedly took out about a fifth of the power consumption in Kyiv for an hour – was by far the more impressive of the two.
“That one scared the hell out of everybody,” said Lee, now CEO of a cybersecurity firm called Dragos and a former cyber warfare specialist with the Air Force. “That was a capability they developed that could be deployed on any electric transmission site in the world and have reliable effects everywhere. Like, it was – it was bad.”
The NotPetya attack was launched against a Ukrainian accounting software firm, but the malware spread to companies across the globe, resulting in billions of dollars in damage.
“It was part of the Kremlin’s ongoing effort to destabilize Ukraine and demonstrates ever more clearly Russia’s involvement in the ongoing conflict,” White House press secretary Sarah Sanders said in 2018.
Some experts say the extensive meddling in Ukraine is due in part to how the country is seen as a kind of testing ground for belligerent cyberactivity. This is because the country’s power grid is in some ways similar in structure to those in the US and other Western countries, but Ukraine’s ability to retaliate has historically been minimal.
Still, the US has seen a rise in high-profile cyberattacks. The growing threat prompted Biden to issue an executive order in May to shore up the nation’s cybersecurity and protect federal government networks. And it is a reminder that cyber defense in the United States has troubling vulnerabilities.
The US has ‘significant’ cyber vulnerabilities
If the Colonial Pipeline breach demonstrated anything, it is the extent to which critical infrastructure in America is susceptible to cyberattacks.
That event in May prompted the Georgia-based company to shut down the pipeline for the first time in its 57-year history. The six-day shutdown scrambled logistics for several airlines and caused a panic at the pump that led to shortages and briefly raised gas prices. But while it was allegedly carried out by a Russian hacker group called DarkSide, authorities haven’t been able to link it to the Kremlin. (In fact, the Russian domestic intelligence agency arrested the alleged culprit – though the hacker was not extradited.) The ordeal ended when Colonial ponied up the $4.4 million ransom — more than half of which was later recovered by the Justice Department.
That attack, Prudhomme stressed, was financially motivated. The hackers, he said, used a compromised password found in a dark-web data dump and were able to employ an inactive VPN account to penetrate the Colonial Pipeline’s network, which didn’t use multifactor authentication.
“Criminal hackers will tend to go for low-hanging fruit,” he said. “The point of entry here was fairly simple.”
Another sensitive breach happened in early 2021, when hackers – whose country of origin isn’t known – were able to gain access to a Florida water treatment facility by using dormant remote access software for the purpose of poisoning the water supply. The hack was quickly caught by a human operator at the facility. But the incident illustrates the dangers of remote access work without proper security: The plant had used multiple computers running an aging version of Microsoft Windows to monitor the facility remotely. All of the computers shared a single password.
But even if localized networks are vulnerable, experts say that the American power grid is far too complex to shut down in one simple motion.
“For a successful attack to be able to take the lights out, they need to gain access to a lot of different points … and nobody is looking,” said Vikram Thakur, technical director at cybersecurity company Symantec. “We don’t think it’s plausible.”
Sophisticated hackers could, however, still seize on any vulnerabilities to cause smaller-scale damage to the electrical grid and other means of energy production.
Smaller utility companies may not be able to make enough of an investment in cybersecurity, potentially making their systems more vulnerable to attacks. The equipment and devices specifically used to distribute electricity to consumers are also more at risk, experts say, because they are not required to adhere to federal cybersecurity standards that apply to the higher-voltage generators and transmission lines in the electrical industry.
And while new cybersecurity requirements were introduced for certain oil and gas pipelines last year, they are not as comprehensive as the electrical industry standards and there aren’t federal cybersecurity regulations for water systems, said Ernie Hayden, who has spent decades working in the power sector, identifying risks to energy and electric providers as a chief information security officer, cybersecurity engineer and consultant.
If networks aren’t properly secured, a hacker could not only launch a ransomware or malware attack but directly infiltrate systems, known as operational technology, that control critical equipment, said Hayden.
Depending on the location of the attack and the lack of controls, this could result in a range of potential outcomes. If hackers get into the operational controls of a water system – as nearly happened in Florida last year – they could potentially poison a water supply by causing chlorine to be injected at a dangerous level, said Hayden. They could cause short power outages if they found a way to access devices that control the circuit breakers at one of the country’s tens of thousands of substations, which are used to transform voltage before electricity is delivered. And turning off the ventilation controls or valves that control the flow of chemicals, gas and oil at refineries could cause equipment failures and leaks, he said.
Even these smaller-scale, localized disruptions are unlikely, however, and experts said they would not cause the cascading blackouts or mass destruction that many fear. But they could still have a psychological impact, which may be the intent of the attacker.
Tom Alrich, a cybersecurity risk management consultant specializing in supply chain threats to software, said he doesn’t believe hackers, including any from Russia, would be able to cause outages by accessing electrical infrastructure. Even if they could, he said, they would get nothing out of it. Instead, Alrich said, the focus should be on ransomware attacks that shut down a company’s operations without directly attacking the systems that control the physical infrastructure, which is what happened in the case of the Colonial Pipeline, or cyberattacks that “poison” the software developed by a given company or organization, such as the infamous SolarWinds hack.
Max Stier, president and CEO of Partnership for Public Service – a nonpartisan non-profit that promotes better government – pointed to some federal failures. He noted that the Department of Energy has some key positions unfilled because the US Senate has been slow to confirm nominees.
“The notion of cyber risk is profound,” Stier said. “It’s a battlefield that doesn’t respect physical boundaries, one where we know the Russians already have been playing, and not just the Russians; and it’s one where we have significant vulnerability.”
CORRECTION: An earlier version of this story misstated the number of organizations breached in the SolarWinds hack. The figure is about 100.