War, fear, ‘hacktivist’ zeal are upending energy cybersecurity
After news broke that hackers had forced the biggest U.S. petroleum pipeline to stop shipping fuel to the East Coast, drivers started hoarding gasoline.
Fear took root within a few days of Colonial Pipeline Co.’s announcement last spring. Images of panic-buying went viral on social media. And in response, the U.S. Consumer Product Safety Commission took to Twitter.
“Do not fill plastic bags with gasoline,” the agency tweeted.
The attack on Colonial in May 2021 by a criminal ransomware group with safe harbor in Russia caused a political mess in Washington. Without consulting the U.S. government, Colonial paid nearly $5 million to the notorious gang DarkSide, which had locked front-office computer files and held them for ransom. Then Colonial made a unilateral decision to shut down the entire pipeline, its CEO told members of Congress.
When the dust settled, observers noted something else: The ransomware attack had a psychological effect on Americans, particularly for the people filling up gas cans. In some small way, it shook the U.S. economy.
Since February, the war in Ukraine has crystallized public fear that Russia is plotting another Colonial-sized assault on U.S. energy. But security analysts also warn that the tactics and motives of digital saboteurs have changed since the start of the war in Europe.
Criminal ransomware syndicates whose aims were purely financial are increasingly motivated by politics and ideology, the consulting firm Accenture noted in a recent report. Hackers are picking sides in the war, casting aside financial goals for ideological ones, according to analysts who monitor underground hacker forums.
Ukraine and energy companies in the West are still bracing for the worst at the hands of Russia’s state-sponsored hackers. But what has emerged over the past six weeks is a more fragmented, less predictable cybersecurity arena.
Hackers are actively exploring ways to use online messaging or disinformation campaigns to magnify the effect of smaller-scale hacks. That approach is a means to new ends: to sow chaos, shake public confidence and affect policy.
“There is no playbook for this,” said Howard Marshall, global cyberthreat intelligence lead at Accenture Security.
‘Hacktivists’ and ideology
Accenture analysts told E&E News that clandestine groups that sell access to computer networks are in turmoil, refusing to do business with hackers on one side or another in the war.
Inquiries about how to disrupt oil and gas infrastructure have popped up on underground forums in recent weeks, according to the analysts, signaling that energy remains a target.
“Their zeal to follow this ideology may unfortunately create an environment where we are greatly increasing risk,” Marshall said. “And what happens if that ideology is backed by investment?”
“Hacktivists” — many out of Ukraine and targeting Russia — are now a more dominant form of cyber activity. Ukraine’s volunteer “IT army” boasts thousands of members. They’re “unregulated, unauthorized,” Marshall said.
“These folks now believe that because they’ve answered this plea that they are somehow indemnified, or they’ve been given a green light to attack Russian targets and Russian interests around the world,” Marshall said.
Distributed denial of service (DDoS) attacks that shut down computers but don’t destroy them are becoming bread and butter to these groups. And they’re being accompanied by messaging campaigns designed to cause more confusion.
Ukraine has had its fair share of DDoS attacks. Days before Russia’s invasion, two Ukrainian banks were targeted. Ukrainians then got text messages falsely claiming ATM systems were down. In this case, the DDoS attacks and messaging spree did not appear to have a large impact. The Ukrainian Cyber Police quickly debunked the fake texts.
The White House quickly pointed the finger at Russia. Anne Neuberger, deputy national security adviser for cyber and emerging technology, said Moscow uses “cyber as part of its projecting force, whether that is influencing, coercing or destabilizing.”
Where is the ‘red line?’
The shifting shapes and shades of global hacking networks is changing the way U.S. security analysts view the threat.
It’s political. Even if the purpose of a nonlethal intrusion by hackers into the computer system at a small utility isn’t obvious, it has an effect, analysts say. To puncture security and to manipulate public opinion in the U.S. is to influence policy.
“We need to ask right out of the gate why would adversaries attack the U.S. electric system or other critical infrastructure,” said Paul Stockton, former assistant secretary of Defense for homeland defense. “They’re going to attempt to use attacks in order to achieve their political objectives.”
Smaller attacks on the U.S. electric grid or water systems combined with information attacks have one goal: “It’s all about gaining leverage in U.S. decisionmaking,” Stockton said. “Information operations can help intensify the psychological impact even on small attacks on water systems and electric systems.”
Foreign cyberattacks can raise the public costs for defending U.S. allies while reinforcing “that more devastation will follow unless the president caves in,” Stockton wrote in a paper, “Defeating Coercive Information Operations in Future Crises.”
Ben Miller, an expert at the cybersecurity firm Dragos Inc., agreed that small-scale attacks on utilities probably don’t cross the “red line” that might draw the United States into war. But it could influence U.S. foreign policy in other ways.
“It’s below the red line from an escalation standpoint, but that still has a proportionate effect on the policy aspect,” Miller said.
The power industry takes those threats seriously. The biennial GridEx security exercise has made public messaging an important element of it exercises. The 2019 exercise simulated a grid attack where over 5 million homes had no power. In that imaginary scenario, journalists relied on unverified reports and information floating around social media.
“Social media posts by adversaries and affected public continued to raise anxieties and fears,” according to a white paper on the GridEx exercise.
In addition, industry-government coordinating groups such as the Electricity Subsector Coordinating Council have focused on establishing a “unity of message” around national security events, Miller said.
The physical bombardment of infrastructure in Ukraine is the dominant factor in the war there. But Ukraine hasn’t escaped unscathed by Russia’s cyber teams.
On Feb. 2, the Computer Emergency Response Team of Ukraine warned of a spear phishing campaign against an energy organization. The cybersecurity firm Palo Alto Networks said that that appeared to be focused on intelligence gathering.
Destructive hacks against the electric grid present a harder and often less effective method of achieving Russian President Vladimir Putin’s goals, experts note.
It’s not an easy process to take down a grid with a digital strike. It can take months of preparation just to understand how a specific utility site operates beyond the IT systems. And a mistake can quickly lead to discovery that wipes out any chance of success.
Tim Conway, technical director at the SANS Institute, a cyber educational and training nonprofit, said Russia’s calculation in Ukraine is clear. Physical attacks on infrastructure can do more damage. “If they tried to do pure cyber, they would have only effected certain sites.”
Conway said that Russia already had a more effective way to disrupt power: raw force.
“If you had a capability to move into Zaporizhzhia, the nuclear site,” Conway said, “why would you go through that cyber approach and show those capabilities to the world when you’ve got troops standing at the gate?”
Hardening Ukraine’s grid
U.S. and Ukrainian engineers have worked to harden Ukraine’s power system since 2015 and 2016 — the last time Russia turned off the lights in Ukraine.
Gen. Paul Nakasone, director of the National Security Agency and U.S. Cyber Command, has cited the “tremendous amount of work” done in recent years to secure Ukraine’s energy grid against malicious malware.
The 2022 federal spending bill that included roughly $14 billion in aid for Ukraine also contained $30 million for the Department of Energy to help the country synchronize with the European Union’s power transmission system. That included wrestling with cybersecurity concerns (Energywire, March 17).
In addition, since 2020 the U.S. Agency for International Development (USAID) has spent $38 million to help improve Ukraine’s cybersecurity workforce, legal and regulatory reforms, and help the country’s institutions access tools and resources to combat cyberthreats, the spokesperson said.
The National Association of Regulatory Utility Commissioners and the Department of Energy’s Pacific Northwest National Laboratory have also provided support since 2016.
Conway said the help has been a two-way street. Ukraine has been willing to share information, said Conway, who was a part of the initial incident response teams in 2015.
“Overall, of all the things I’ve done working with labs and DOE and being on the asset owner and operator side,” Conway said, “just a tremendous amount has been gained by Ukraine’s willingness to share information with us.”
Gloss