After news broke that hackers had forced the largest oil pipeline in the US to stop sending fuel to the East Coast, drivers began stockpiling gasoline.
Fear took root within days of Colonial Pipeline Co.’s announcement last spring. Panic buying footage went viral on social media. And in response, the US Consumer Product Safety Commission took to Twitter.
“Do not fill plastic bags with gasoline”, the agency tweeted.
The attack on Colonial in May 2021 by a criminal ransomware group with a safe harbor in Russia caused political turmoil in Washington. Without consulting the US government, Colonial paid nearly $5 million to the notorious DarkSide gang, which had locked down the computer files of the main office and held them for ransom. Colonial then made a unilateral decision to shut down the entire pipeline, its chief executive told members of Congress.
As the dust settled, observers noticed something else: The ransomware attack had a psychological effect on Americans, particularly the people who filled gas cans. Somehow, it shook the American economy.
Since February, the war in Ukraine has crystallized public fears that Russia is plotting another colonial-sized attack on American energy. But security analysts also warn that the tactics and motives of digital saboteurs have changed since the start of the war in Europe.
Ransomware criminal syndicates whose goals were purely financial are increasingly motivated by politics and ideology, consulting firm Accenture noted in a recent report. report. Hackers are choosing sides in the war, trading off financial goals for ideological ones, according to analysts who monitor underground hacker forums.
Ukraine and Western energy companies are still preparing for the worst at the hands of Russia’s state-sponsored hackers. But what has emerged in the last six weeks is a more fragmented and less predictable cybersecurity field.
Hackers are actively exploring ways to use online messaging or disinformation campaigns to magnify the effect of smaller-scale attacks. That approach is a means to new ends: sowing chaos, shaking public confidence and affecting politics.
“There is no playbook for this,” said Howard Marshall, global leader of cyber threat intelligence at Accenture Security.
‘Hacktivists’ and ideology
Accenture analysts told E&E News that underground groups selling access to computer networks are in crisis and are refusing to do business with hackers on one side or the other in the war.
Inquiries about how to disrupt oil and gas infrastructure have popped up on underground forums in recent weeks, according to analysts, indicating energy remains a target.
“Unfortunately, their enthusiasm to follow this ideology may create an environment where we are greatly increasing risk,” Marshall said. “And what if that ideology is backed by investments?”
Hacktivists, many from Ukraine and targeting Russia, are now a more pervasive form of cyber activity. Ukraine’s volunteer “IT army” has thousands of members. They are “unregulated, unlicensed,” Marshall said.
“These people now believe that because they have responded to this petition, they are somehow indemnified, or given a green light to attack Russian targets and Russian interests around the world,” Marshall said.
Distributed Denial of Service (DDoS) attacks that shut down computers but don’t destroy them are becoming a daily occurrence for these groups. And they are accompanied by messaging campaigns designed to cause more confusion.
Ukraine has had its fair share of DDoS attacks. Days before the Russian invasion, two Ukrainian banks were attacked. Ukrainians then received text messages falsely claiming that the ATM systems were not working. In this case, the DDoS attacks and the flood of messages did not seem to have much of an impact. The Cyber Police of Ukraine quickly discredited the fake texts
The White House quickly pointed with his finger in Russia. Anne Neuberger, deputy national security adviser for cyber and emerging technology, said Moscow uses “cyber as part of its force projection, whether it’s to influence, coerce or destabilize.”
Where is the ‘red line?’
The changing shapes and nuances of global hacking networks are changing the way US security analysts view the threat.
it’s political. Even if the purpose of a non-lethal intrusion by hackers into the computer system at a small utility company isn’t obvious, it does have an effect, analysts say. Puncturing security and manipulating public opinion in the US is influencing politics.
“We need to ask up front why adversaries would attack the US electrical system or other critical infrastructure,” said Paul Stockton, a former assistant secretary of defense for national defense. “They are going to try to use attacks to achieve their political goals.”
Smaller attacks on the US power grid or water systems combined with information attacks have one goal: “It’s about gaining influence in US decision-making,” Stockton said. “Information operations can help intensify the psychological impact of even small attacks on water systems and electrical systems.”
Foreign cyberattacks may increase the public costs of defending US allies while reinforcing “that there will be more devastation unless the President relents,” Stockton wrote in a statement. paper“Defeating Coercive Information Operations in Future Crises”.
Ben Miller, an expert at cybersecurity firm Dragos Inc., agreed that small-scale attacks on public services are unlikely to cross the “red line” that could lead the United States to war. But it could influence American foreign policy in other ways.
“It’s below the red line from an escalation standpoint, but that still has a proportional effect on the policy side,” Miller said.
The energy industry takes these threats seriously. The biennial GridEx security exercise has made public messaging an important element of its exercises. The 2019 exercise simulated a grid attack in which more than 5 million homes had no power. In that imaginary scenario, journalists relied on unverified reports and information floating around on social media.
“Social media posts from adversaries and the affected public continued to raise anxieties and fears,” according to a white paper on the GridEx exercise.
In addition, industry-government coordination groups such as the Electricity Subsector Coordination Council have focused on establishing a “unit of message” around national security events, Miller said.
The physical bombing of the infrastructure in the Ukraine is the dominant factor in the war there. But Ukraine has not escaped unscathed from Russia’s cyber teams.
On February 2, Ukraine’s Computer Emergency Response Team warned of a phishing campaign targeting an energy organization. Cybersecurity firm Palo Alto Networks saying that which seemed to be focused on intelligence gathering.
Destructive attacks on the power grid present a more difficult and often less effective method of achieving Russian President Vladimir Putin’s goals, experts say.
It is not an easy process to take down a grid with a digital attack. It can take months of preparation to understand how a specific utility site works beyond IT systems. And one mistake can quickly lead to a discovery that eliminates any chance of success.
Tim Conway, technical director of the SANS Institute, a nonprofit cyber education and training organization, said Russia’s calculus in Ukraine is clear. Physical attacks on infrastructure can cause more damage. “If they tried to do pure cyber, they would only have affected certain sites.”
Conway said that Russia already had a more effective way to disrupt power: brute force.
“If you had the ability to move to Zaporizhzhia, the nuclear site,” Conway said, “why would you go through that cyber focus and show those capabilities to the world when you have troops standing at the door?”
Strengthening of the Ukrainian network
American and Ukrainian engineers have worked to strengthen Ukraine’s electrical system since 2015 and 2016, the last time Russia turned off the lights in Ukraine.
Gen. Paul Nakasone, director of the US National Security Agency and Cyber Command, has cited the “enormous amount of work” done in recent years to protect Ukraine’s energy grid from malicious malware.
The 2022 federal spending bill that included roughly $14 billion in aid for Ukraine also contained $30 million for the Department of Energy to help the country synchronize with the European Union’s power transmission system. That included wrestling with cybersecurity concerns (power wireMarch 17).
Additionally, since 2020, the United States Agency for International Development (USAID) has spent $38 million to help improve Ukraine’s cybersecurity workforce, legal and regulatory reforms, and help the country’s institutions to access tools and resources to combat cyber threats, the spokesman said.
The National Association of Utilities Regulatory Commissioners and the Department of Energy’s Pacific Northwest National Laboratory have also provided support since 2016.
Conway said aid has been a two-way street. Ukraine has been willing to share information, said Conway, who was part of the initial incident response teams in 2015.
“Overall, of all the things I’ve done working with the labs and the DOE and being on the asset owner and operator side,” Conway said, “Ukraine’s willingness to share information with us has gained a tremendous amount. “.