Russian hacking group compromised US power companies – 60 Minutes
The Biden administration warns of the potential for Russian cyberattacks on US soil, and in recently unsealed indictments, the Justice Department released details of cyberattacks it says the Russians launched in the past.
“The Russians pose a serious and persistent threat,” Deputy Attorney General Lisa Monaco told correspondent Bill Whitaker for a 60 Minutes report this week. “This is really the type of activity we are warning about today regarding Russia’s response to the world’s response to the horror in Ukraine.”
Between 2012 and 2017, according to the Justice Department, three Russian intelligence agents and their accomplices targeted the energy sector, hacking into hundreds of companies and organizations around the world. Russian hackers also managed to break into the computer network of a Kansas nuclear energy company, according to the indictment.
Monaco said while such incidents have happened in the past, Americans should be prepared for similar attacks. “We see Russian state actors scanning, probing, looking for opportunities, looking for weaknesses in our systems on critical infrastructure, on businesses,” Monaco said.
In the summer of 2017, according to a DOJ indictment, Russian hackers launched a cyberattack on the security system of an overseas oil refinery, forcing the entire plant to close. Investigators identified the plant as the Petro Rabigh Petrochemical and Refining Complex in Saudi Arabia.
Robert Lee, a former NSA hacker and co-founder of cybersecurity firm Dragos, investigated the attack. He said the hackers could have set off explosions and released toxic chemicals into the Saudi factory with the malware they installed, known as “Triton”.
“This is the first time in history that we’ve seen a cyberattack explicitly designed to kill people,” Lee said. “It targets security systems. And those security systems are only there to protect lives. So explicitly pursuing this system, the only reason to do so is to hurt people.”
Lee says disaster was averted, only because the hackers made a small mistake in their software. “Instead of causing the effects they were looking for, like an explosion where you would kill people, it just shut down the plant,” he said.
Lee also investigated two incidents in Ukraine widely considered to be the most destructive cyberattacks against civilian infrastructure the world has ever seen.
In 2015, Lee says, Russian hackers from the military intelligence agency, the GRU, broke into the networks of three different Ukrainian power companies and waited quietly before launching their full-scale attack. “They broke in over the summer, got into position, and they started learning how to operate these systems,” Lee said. “And as a result, they disconnected more than 60 substations across Ukraine and caused power outages for around 225,000 customers in the dead of winter.”
A year later, Lee says, the GRU hackers were back with a much more sophisticated attack – automated malware that could cripple multiple transmission stations with a single strike.
“It was a shock to everyone because there was a lot of theory about how you could do this,” Lee said. “People in my community on the cybersecurity side have been talking about this for a long time – it’s possible. But seeing it actually demonstrated is giant proof that you can do it. And we also know now that they’re bold enough to do- the.”
Lee said the Russians could do the same in the United States.
For the past few years, Lee says his cybersecurity company has tracked the same GRU hacking group – known to researchers as “Sandworm” – installing malware and probing power companies here in the United States.