Russian hacking group compromised U.S. power companies
The Biden administration is warning about the potential for Russian cyberattacks on American soil, and in newly unsealed indictments, the Justice Department has released details about cyberattacks it says Russians have launched in the past.
"The Russians pose a serious and persistent threat," Deputy Attorney General Lisa Monaco told correspondent Bill Whitaker for a report on 60 Minutes this week. "It is very much the type of activity that we are warning about today when it comes to Russia's response to the world's response to the horror in Ukraine."
Between 2012 and 2017, the Justice Department says, three Russian intelligence agents and accomplices targeted the energy sector, hacking hundreds of companies and organizations around the world. Russian hackers also managed to get inside the computer network at a nuclear power company in Kansas, the indictment says.
Monaco said that although these incidents occurred in the past, Americans should be prepared for similar attacks. "We are seeing Russian state actors scanning, probing, looking for opportunities, looking for weaknesses in our systems on critical infrastructure, on businesses," Monaco said.
In the summer of 2017, a DOJ indictment says, Russian hackers launched a cyberattack on the safety system of an overseas oil refinery, which forced the entire plant to shut down. Investigators have identified the plant as Saudi Arabia's Petro Rabigh petrochemical and refinery complex.
Robert Lee, a former NSA hacker and co-founder of cybersecurity company Dragos, investigated the attack. He said the hackers could have set off explosions and released toxic chemicals in the Saudi plant with the malware they installed, known as "Triton."
"It's the first time in history we've ever seen a cyberattack explicitly designed to kill people," Lee said. "It targets safety systems. And these safety systems are only there to protect lives. So going after that system explicitly, the only reason to do it is to hurt people."
Lee says disaster was averted, only because the hackers made a small error in their software. "Instead of actually causing the effects they were looking to achieve, like an explosion where you'd kill people, instead it simply shut down the plant," he said.
Lee also investigated two incidents in Ukraine widely considered the most destructive cyberattacks on civilian infrastructure the world has ever seen.
In 2015, Lee says, Russian hackers from the military intelligence agency, the GRU, broke into three different Ukrainian power companies' networks, and waited quietly before launching their full-scale attack. "They broke in over the summer, got into position and they started learning how to operate those systems," Lee said. "And as a result, they disconnected over 60 substations across Ukraine and caused blackouts for around 225,000 customers in the dead of winter."
A year later, Lee says, GRU hackers were back with a much more sophisticated attack – an automated piece of malware that could cripple multiple transmission stations with one keystroke.
"It was a shock to everybody because there's been a lot of theory around how you could do this," Lee said. "People in my community on the cybersecurity side have been talking about this for a long time on – it's possible. But to actually see it demonstrated is a giant proof that you can do it. And we also know now they're bold enough to do it."
Lee said the Russians could do the same thing in the United States.
Over the last few years, Lee says his cybersecurity company has tracked the same GRU hacking group — known among researchers as "Sandworm" — installing malware and probing power companies here in the U.S.