Shields Up: U.S. officials preparing for potential Russian cyberattacks
This past week, the U.S. government issued an urgent warning about dangerous new malware that could cripple industrial systems worldwide. It comes on the heels of Ukraine withstanding an attempt by Russian hackers to knock out power to 2 million people in that war-torn country. The Biden administration has been releasing sensitive intelligence and dire warnings that the Kremlin is preparing to launch a new generation of cyberattacks on American soil. U.S. cyber defenders tell us they are now watching Russian state actors probe some of our most critical systems, and are bracing themselves — especially at the Department of Homeland Security — with an initiative called "Shields Up."
Jen Easterly: We are seeing evolving intelligence about Russian planning for potential attacks. And we have to assume that there's going to be a breach. There's going to be an incident. There's going to be an attack.
Jen Easterly is director of the Cybersecurity and Infrastructure Security Agency. Known by its acronym, CISA, the agency helps secure computer networks in 16 sectors deemed vital to national security, like energy, finance and communications.
Jen Easterly: Anything that could impact critical infrastructure.
Easterly is not your typical bureaucrat. She's a decorated, retired Army officer with two Bronze Stars, who's also decorated with a tattoo, and nails painted the colors of Ukraine's flag – she's a techie with serious chops. A West Point graduate and a Rhodes scholar, she was part of the National Security Agency's elite hacking team and went on to help create the agency's cyber command.
Bill Whitaker: When you've got someone like Vladimir Putin, who just doesn't seem to care about norms, how do you protect against that? When you've got someone like Vladimir Putin, who just doesn't seem to care about norms, how do you protect against that?
Jen Easterly: I think we are dealing with a very dangerous, very sophisticated, very well-resourced cyber actor. And that's why we've been telling everybody consistently, shields up. What does that mean? It means assume there will be disruptive cyber activity and make sure you are prepared for it.
She's taken to social media to encourage industry to share information with the government to defend against cyberattacks and calls on all Americans to put their shields up by updating software and using multi-factor authentication on computers and phones.
Jen Easterly: I'm a big Star Trek fan, so "Shields Up!" And it has really caught on as something– that's all about preparation, not panic.
Bill Whitaker: Is there one sector that worries you more than the others?
Jen Easterly: We know that energy, targeting the energy sector, is part of the Russian play book. But also finance, given potential retaliatory attacks for the very severe sanctions that the U.S. and our allies have imposed and continue to impose.
Bill Whitaker: If I'm just sitting at home watching this, why should I be concerned about a cyberattack?
Jen Easterly: Everything that you do, hour by hour, is largely dependent in some way on the critical infrastructure. How you get gas at the local pump, how you get food at the grocery store, how you get money from your ATM, how you get your power, how you get your water, how you communicate – all of that is our critical infrastructure. And that's what we're saying is at potential risk to a Russian malicious cyberattack.
Robert Lee: There's only been one country out there that's actually had expertise in taking down electric power systems and that's Russia.
Robert Lee – another former NSA hacker – is the co-founder of Dragos, a cybersecurity company. He's known as a wizard of the dark arts of cyber war, specializing in the defense of critical infrastructure. In 2015 he investigated an incident in Ukraine, the most destructive cyberattack on civilian infrastructure the world had ever seen.
Bill Whitaker: What– what'd you find?
Robert Lee: The Russian state broke into three different power companies across Ukraine probably about six months ahead of the actual attack. So they broke in over the summer, got into position, and they started learning how to operate those systems. And as a result, they disconnected over 60 substations across Ukraine and caused blackouts for around 225,000 customers in the dead of winter.
It was all done remotely from this building in Moscow by hackers with the military intelligence agency, the GRU. The Ukrainians had to send utility workers to the impaired substations to manually restart each one. A year later, Lee says, GRU hackers were back with a much more sophisticated attack – a piece of malware that could cripple multiple transmission stations with one keystroke.
Bill Whitaker: What did it mean that Russia was able to do this?
Robert Lee: It was a shock to everybody because there's been a lot of theory around how you could do this. People in my community on the cybersecurity side have been talking about this for a long time on it's possible. But to actually see it demonstrated is a giant proof that you can do it. And we also know now they're bold enough to do it.
Bill Whitaker: Could the Russians do the same thing here in the U.S.?
Robert Lee: Absolutely.
Over the last few years, Lee's cybersecurity company, Dragos, has tracked the same GRU hacking group – known among researchers as "Sandworm" – installing malware and probing power companies here in the U.S.
Robert Lee: There was about a dozen power companies that ended up getting compromised in the 2014-2015 time frame by the same group that ended up taking down the electric system in Ukraine.
In the summer of 2017, Russian hackers launched a more brazen and potentially much more dangerous attack – this time on Petro Rabigh, a massive oil refinery along the Red Sea in Saudi Arabia. On a Friday night in August, a safety system triggered the whole plant to shut down. Julian Gutmanis was working cybersecurity for the Saudi oil giant Aramco and rushed to the scene to investigate.
Bill Whitaker: From what you saw, you– you were alarmed?
Julian Gutmanis: At that stage, yes, yep. Like, why is somebody going after the safety systems on a weekend at night? It's just not normal.
What Gutmanis discovered stopped him in his tracks; someone had hacked into the emergency shutdown system and installed suspicious computer files.
Julian Gutmanis: The files were created and executed– you know, momentarily before the– the initial outage that we responded to.
Bill Whitaker: You were able to trace that back?
Julian Gutmanis: Forensically, yeah. I came across a– function that they'd defined in there called "execute exploit." Hairs stood up on my arms and I'm like, "This is probably something really serious." You don't normally have the word "exploit" in– in normal kind of vendor software.
Bill Whitaker: So that– that set off alarm bells?
Julian Gutmanis: Oh, huge alarm bells. And it really kind of made us focus on, "How did these files get there? Where did they come from? Who created them? And– and what do we do? What are they trying to do?"
Gutmanis now works for Robert Lee at Dragos, who also investigated the hack. Lee says the hackers could have set off explosions and released toxic chemicals with the malware they implanted, known as Triton.
Robert Lee: It's the first time in history we've ever seen a cyberattack explicitly designed to kill people. It targets safety systems. And these safety systems are only there to protect lives. So going after that system explicitly, the only reason to do it is to hurt people. What happened is they made a small error in the software that instead of actually causing the effects they were looking to achieve, like an explosion where you'd kill people, instead it simply shut down the plant.
Lisa Monaco: The Russians pose a serious and persistent threat.
As the second highest ranking official in the Justice Department, Deputy Attorney General Lisa Monaco oversees the FBI and its 1,000 strong cyber division. Three weeks ago, her department unsealed two secret indictments: one described how Triton worked, and identified Evgeny Gladkikh, from a Russian Ministry of Defense research institute, as one of the hackers. The second indictment says between 2012 and 2017 three Russian intelligence agents and accomplices hacked hundreds of energy companies around the world and managed to get inside the computer network at a nuclear power plant in Kansas.
Lisa Monaco: This was historical activity. But it is very much the type of activity that we are warning about today when it comes to Russia's response to the world's response to the horror in Ukraine.
Bill Whitaker: What about right now? Are you seeing Russian activity– Russian plots to disrupt our infrastructure?
Lisa Monaco: We are seeing Russian state actors scanning, probing, looking for opportunities, looking for weaknesses in our systems on critical infrastructure, on businesses. Think of it, Bill, as a burglar going around trying to jiggle the lock in your house door to see if it's open. And we're seeing that.
Earlier this month, Monaco joined Attorney General Merrick Garland and FBI Director Christopher Wray to announce the U.S. had conducted a bold operation: stopping Russian hackers as they were preparing to strike.
Lisa Monaco: We're talking military intelligence actors, deploying malware, malicious code, on thousands of computers in hundreds of countries. We're seeing them deploy that code and take control of these computers. It's like an army of infected computers that, with a single command, can be deployed to do everything from gathering information, stealing information, and sometimes to have destructive effect. And we were able to work with the private sector to understand it, to be able to use unique investigative tools to trace it back to attackers at keyboards. And then, use our tools to go in, not only remove that malware, but again, to lock those doors, to keep the attacker from coming back.
Dmitri Alperovitch: This was the first time that we have taken that action against something that the Russian military has done preemptively, before they launched the attack. We took it down.
Dmitiri Alperovitch is well acquainted with Putin's tactics. As co-founder of the heavyweight cybersecurity company Crowdstrike, he helped trace the 2016 hack of the Democratic National Committee back to the GRU in Moscow. He currently is a member of the Homeland Security Advisory council. The Moscow-born Alperovitch has a theory why Putin hasn't launched a full scale cyberattack on the U.S. yet.
Dmitri Alperovitch: He thinks that a victory that he can pull out is still achievable and that as he can make a deal with Europeans at least and possibly the Americans to take the sanctions off. I think he's mistaken on that. But I think at least until he tries that, he's unlikely to launch the cyberattacks.
Bill Whitaker: So why do you think President Biden has said a cyberattack from Russia is coming.
Dmitri Alperovitch: Well, I think the reality is that those sanctions will not come off, that the economic pressure on Russia will continue, and they are gonna start retaliating for that in cyberspace once it hits them that this is permanent, that this is not going away. And they're gonna try to look for ways to press us economically in retaliation. And cyber is a perfect way for them to do so.
Perfect because cyber is a battlefield where Russians have an advantage: a target-rich environment in the United States.
Dmitri Alperovitch: The reality is that we have way too many targets. If you look particularly in our energy sector, you have regional utilities. You have minor energy processing companies, storage companies, pipeline companies. And make no mistake, Bill. The cyber actors that they have are top notch. And they've demonstrated that time and time again.
Bill Whitaker: We have said in the past that if you do this to us, we will respond in kind. Would we?
Dmitri Alperovitch: We have to let him know that you will not touch our critical infrastructure without a response. And the way to do that, I think, is through a cyber operation that can demonstrate our capabilities without lasting damage. One of the ways you can do that, for example, is by taking Russia off the internet for a few hours. It won't cause any lasting impact, but it will demonstrate the power of the United States Cyber Command, what we can do to his economy by disconnecting him, effectively, from the internet.
Bill Whitaker: We can do that?
Dmitri Alperovitch: We can absolutely do that. And we'll let him know that if he keeps going, if he keeps attacking us, we can make that permanent.
Produced by Marc Lieberman and Graham Messick. Associate producers, Jack Weingart and Cassidy McDonald. Field associate producer, Jacqueline Williams. Broadcast associates, Emilio Almonte and Eliza Costas. Edited by Richard Buddenhagen.