As President Obama is threatening and acting out on retaliation for Russia’s hack of the United States election, it’s becoming evident that the hack was even bigger. According to a report in the Washington Post, the Vermont electric utility was also hacked.
While the Russians did not actively use the code to disrupt operations, according to officials who spoke on the condition of anonymity to discuss a security matter, the discovery underlines the vulnerabilities of the nation’s electrical grid. Officials in government and the utility industry regularly monitor the grid because it is highly computerized and any disruptions can have disastrous implications for the country’s medical and emergency services.
No one is sure at this point why the Russians hacked the small utility, but it’s possible that they did it just to show us they can. It could also have been a test, similar to the way credit card thieves start with small charges to test the card.
This is also far from out of character for Russia. Earlier in 2016, Russia allegedly hacked the power grid in the Ukraine.
The hackers who struck the power centers in Ukraine—the first confirmed hack to take down a power grid—weren’t opportunists who just happened upon the networks and launched an attack to test their abilities; according to new details from an extensive investigation into the hack, they were skilled and stealthy strategists who carefully planned their assault over many months, first doing reconnaissance to study the networks and siphon operator credentials, then launching a synchronized assault in a well-choreographed dance.
“It was brilliant,” says Robert M. Lee, who assisted in the investigation. Lee is a former cyber warfare operations officer for the US Air Force and is co-founder of Dragos Security, a critical infrastructure security company. “In terms of sophistication, most people always [focus on the] malware [that’s used in an attack],” he says. “To me what makes sophistication is logistics and planning and operations and … what’s going on during the length of it. And this was highly sophisticated.”
While Lee couldn’t say for sure it was Russia, the Ukraine is convinced it was. Nonetheless, Lee said, it was a very well-funded operation and it could have been from a nation-state.
As Wired notes, the electrical infrastructure in the Ukraine is more secure than it is overall in the United States. Beyond that, many of our electrical grids don’t have backup, which means that it could be hours, days, or even longer before we get power back.
Even more frightening, the entire nation could be without power indefinitely if just nine of its 55,000 substations were hit by terrorists or by hackers.
A coordinated attack on just nine of the United States’ 55,000 electric-transmission substations on the right day could cause a blackout from Los Angeles to New York City, according to the study conducted by the Federal Energy Regulatory Commission. The study’s results have been known for months to select people in federal agencies, Congress and the White House, but were reported publicly for the first time Wednesday. The WSJ did not publish a list of the 30 most critical substations identified by the FERC study.
One particularly troubling memo reviewed by the Journal described a scenario in which a highly-coordinated but relatively small scale attack could send the country into a long-term literal dark age. “Destroy nine interconnection substations and a transformer manufacturer and the entire United States grid would be down for at least 18 months, probably longer,” the memo said.
One of Donald Trump’s campaign promises has been to improve the infrastructure. Obama has been trying to do that for most of his time in office, but Congress has blocked that. Still, even if Trump does get an infrastructure bill signed, his relationship with Russia is troubling. Will his loyalty be with the United States or is he indebted enough to Russia that he will leave the doors open for them to attack us where we are the most vulnerable? It’s a disconcerting question, to say the least, and it’s why the hacking of the election, along with Trump’s praise of Putin, is a big f*cking deal.
UPDATE: The Washington Post has issued a correction. The utility was hacked, but that Vermont utility is not corrected to the grid.
“An earlier version of this story incorrectly said that Russian hackers had penetrated the U.S. electric grid. Authorities say there is no indication of that so far. The computer at Burlington Electric that was hacked was not attached to the grid,” an editor’s note attached to the original article said.
Featured image via Pool/Getty Images