How alleged Russian hackers managed to infiltrate critical U.S. infrastructure

Hackers who penetrated the U.S. electrical grid and other critical infrastructure did not have enough access to cause "wide-scale damage," says a cybersecurity expert.

Trump administration accused Moscow of an elaborate plot to penetrate America's electric grid

U.S. President Donald Trump chats with Russia's President Vladimir Putin as they attend the APEC Economic Leaders' Meeting in November 2017. The Trump administration accused Russia on Thursday of a concerted operation to hack the U.S. energy grid and other critical infrastructure including aviation. (Mikhail Klimentyev/AFP/Getty Images)
Listen6:31

Read Story Transcript

Hackers accused by U.S. authorities of penetrating the country's electrical grid and other critical infrastructure did not have enough access to cause "wide-scale damage," says a cybersecurity expert.

The Trump administration accused Moscow on Thursday of an elaborate plot to penetrate America's electric grid, factories, water supply and even air travel through cyber hacking.

U.S. national security officials said the FBI, Department of Homeland Security and intelligence agencies determined Russian intelligence and others were behind a broad range of cyberattacks starting a year ago.

They said Russian hackers infiltrated the networks that run the basic services Americans rely on each day: nuclear power, water and manufacturing plants.

The cyber security firm Symantec warned of the hacks last October.

Vikram Thakur, the company's technical director, spoke with As It Happens host Carol Off. Here is part of that conversation.

What kind of damage could these hackers have done if they had actually flipped the switch and attacked the U.S. power grid?

We think that, overall, the damage would have been not as wide-scale as one would probably imagine. We don't think that the attackers had gotten access to every single organization's network that would be required to cause wide-scale damage or wide-scale kinetic impact.

What did they have the capacity to do?

They were on computer networks, which are connected directly with parts of the energy grid. Think about that as parts of the energy ecosystem where energy is created, distributed, recycled and all that.

So they were on different networks, but we do not believe that their intention at this very moment was to cause any wide-scale disruption if they so chose.

As U.S. officials step up sanctions on Russian intelligence for its interference in the 2016 elections, members of the Trump administration have accused Russia of a cyberattack on the domestic energy grid - which includes the Con Edison power plant in New York City, pictured here - and other key parts of America's infrastructure. (Spencer Platt/Getty Images)

How did you find out that this was happening — that they had hacked in?

So we saw a concerted number of attacks going towards organizations, which are all in the energy sector.

We try to study what the attackers were trying to do in some cases when they got on to certain networks. 

On observing them, we were able to gather that information, provide it to the different organizations saying that, "Hey, this seems to be the method and the tactic being employed by someone trying to get into your network."

In some cases, they have not been that successful. In some cases they've had moderate success. But, they seem to be looking for some documents or they seem to be looking for very specific documents.

We can see that on different networks they were attempting different things. We just pieced it all together based on the exact same tools that they were using across all these different networks.

That's how we figured that it's the same group as Dragonfly that we've known about for a few years at this point.

Dragonfly operates out of what country?

According to the U.S. government, Dragonfly operates out of Russia.

The FBI National Security Division and the U.S. Attorney's Office for the Northern District of California hold a joint news conference about suspected Russian hackers at the Justice Department in Washington on Thursday. (Yuri Gripas/Reuters)

How can you be sure that they were hacking in order to possibly conduct some act of sabotage? ... How come that and not the possibility that they were stealing information, they were trying to get technology for their own use?

When an attacker gets onto your computer and starts searching for proprietary file formats which belong only to industrial control systems ... that's when you realize that the attacker is not looking for direct monetary gain from having access to your computers.

He's looking for information about the configuration of your power plants, which can only having one purpose, which is them trying to understand what the sensitive points within your network might be to impact some change in your industrial output.

Why is the U.S. government so convinced that it's the Russians and the Russian government that's behind this?

We have no idea about why the U.S. government thinks that this is Russia, but at the same time we do not have any data to doubt what their claim might be.

In fact, we actually don't even have any data to corroborate what they're saying. So we're sort of agnostic to where the hacking might be occurring from.

How concerned should Americans be with that little wave of the hand over there from Russia saying, "Hey. We can get in here"?

I think it is concerning. But I think what the government has done in this case is definitely commendable. They have put out a huge amount of technical information — very, very, very relevant to the constituents of the critical infrastructure.

And we know for a fact that all those organizations within the critical infrastructure in the U.S. are taking measures to date to raise their own security profile and improve the defences of their own networks.

I would say that if there is a silver lining to these attacks, it is that the collective critical infrastructure's defensive posture has gotten better in the past six months.

Comments

To encourage thoughtful and respectful conversations, first and last names will appear with each submission to CBC/Radio-Canada's online communities (except in children and youth-oriented communities). Pseudonyms will no longer be permitted.

By submitting a comment, you accept that CBC has the right to reproduce and publish that comment in whole or in part, in any manner CBC chooses. Please note that CBC does not endorse the opinions expressed in comments. Comments on this story are moderated according to our Submission Guidelines. Comments are welcome while open. We reserve the right to close comments at any time.