Russia is already warmed up for a massive attack on US energy grid

August 18, 1941. A date which will live in infamy.

No — the date is correct. That was the first known attack on the Ukrainian energy grid by Russia. Stalin’s secret police — the NKVD — blew up the Zaporizhzhya hydroelectric dam along the banks of the Dnieper River. Up to 100,000 were killed by the ensuing flood waters and damage.

But Russia wasn’t done yet.

{mosads}December 23, 2015. Another date which will live in infamy. That was the first successful attack against the energy grid using a new type of malware called BlackEnergy. Against the very same hydroelectric plant. Except that wasn’t the most important date.

To Russia, December 23, 2014, exactly one year earlier, is the date they really cared about. The Ukrainian Parliament voted 303 to 8 to change their non-aligned status to join NATO, and the last thing Russia wants is a NATO country along their southwestern border.

The BlackEnergy attack was punishment. Pure and simple. So was annexing Crimea in March of 2014. Any attack against the energy grid in the United States will be about punishment, as well.

U.S. accuses Russian hackers of attacks on energy sector https://t.co/tmMbROxeas pic.twitter.com/3gRjaQiNCw

— The Hill (@thehill) March 16, 2018

BlackEnergy was originally developed in 2007 as a distributed denial-of-service tool (DDoS). It evolved in 2014 to a full package that targeted Industrial Control Systems (ICS), embedded espionage modules, the ability to address multiple types of operating systems and KillDisk. KillDisk erases files and destroys the ability to boot up computers.

For years, groups linked to Russia have been tied to the malware and the attacks. Groups that are linked to Vladimir Putin.

Putin is more than a cyber bully. This is about righting the perceived wrongs done to him and the former Soviet Union by the great enemy. This is about a modern version of the U.S.S.R., and cyber warfare is the least risky way to accomplish it.

Why?

Because the U.S. doesn’t have a firm policy yet on dealing with warfare in the fifth domain. Name and shame doesn’t work. When does a bit and a byte get a bomb and a bullet? We don’t know. And Putin knows that.

On Thursday, American officials publicly accused Russia of conducting a “multi-stage intrusion campaign” that involved malware and spearphishing. Sounds familiar. Very familiar. The latest report from the FBI and DHS clearly says Russia is responsible for the attacks:

“This alert provides information on Russian government actions targeting U.S. Government entities as well as organizations in the energy, nuclear, commercial facilities, water, aviation, and critical manufacturing sectors.”

If the U.S. wants to see how a future attack on our energy grid will look, and be accomplished, we only need to look at how Russia has turned Ukraine into their digital punching bag for cyber-attacks.

The attack in Ukraine started with a spearphishing email sent to the energy company.  The email looked like it came from the Ukrainian parliament. Attached to it was a Microsoft Excel spreadsheet. The dreaded “Enable Macros?” box popped up, and someone said Yes.

Fox News host: Trump’s sanctions against Russia were “neither bold nor swift” https://t.co/uDPhBkjZ5f pic.twitter.com/EsfszBPVC9

— The Hill (@thehill) March 16, 2018

For six months, Russian cyber operatives worked undetected, scanning the environment for weaknesses and passwords. Passwords to the Virtual Private Network (VPN) that allowed access through the firewall to all of the control system that ran the hydroelectric plant and substations.

It wasn’t enough to gain access. Again, it was about punishment. Operation-specific targeting of firmware inside critical equipment called serial-to-ethernet connectors was part of the attack profile. These cables allow commands from a computer to be sent to the breakers.

Don’t worry, right? This is the reason backup power is available. Wrong. Two of three UPS’s (Uninterruptable Power Supply) at the substations were also targeted. Don’t forget the telephone system, too. As a final topping, KillDisk was staged for a follow-on attack.

On December 23, 2015, exactly one year after the NATO affront to Russia by the Ukrainian government, BlackEnergy was unleashed.

Engineers sitting at their desk watched cursors on their computer screens start moving. The ghost in the machine was activated. In horror, they watched as breakers were opened. Adding injury to insult, the engineers were locked out of their own computers, their passwords having been remotely reset.

Backup power was reconfigured to also fail. A denial-of-service attack was launched against the telephone system to prevent communication. And to top it off, ninety minutes later KillDisk launched, extending the length and severity of the attack.

JUST IN: Nikki Haley blames Russia for poisoning ex-spy after White House hesitated to https://t.co/6A1fnuaYo4 pic.twitter.com/o5M8o9IkeD

— The Hill (@thehill) March 14, 2018

This is what a cyberbully looks like as a nation state. Ukraine is more important to the United States than just being a potential NATO ally. They’re important because they are now the eastern front in a digital cold war that is ramping up.

Russia and China are pushing regional control of the internet. Not for the altruistic reason of making the internet safer. For Russia, the sole reason is to erect a new Iron Curtain that protects them from attack. For China, they already have the Great Firewall.

Putin is treating Ukraine as a tune-up fight for the real heavyweight bout down the road. The consequences of failure are small — the risk of retaliation extremely low. I’d say this serves as another wake-up call, but how many times have we heard that about threats? Too many to count.

This problem has landed squarely at the feet of the president and Congress. We need to know where the line is in cyberspace. For one, stop this feckless policy of restrained counter-punching. Our current deterrence posture is a mere annoyance to Russia and China.

The South China Sea and Crimea are their response to our deterrence.

Let the bullies know there is a price to pay for attacking our critical infrastructure, and for stealing our technology. Every now and then, the American public needs to know our country has pushed back in a major way. We don’t have to be told directly. We just need to hear someone, somewhere, is paying a price for attacking the United States.

The problem isn’t that this example is a wake-up call if ever there was one. The problem is that our government keeps hitting the snooze button.

Morgan Wright is an expert on cybersecurity strategy, cyberterrorism, identity theft and privacy. He’s currently a Senior Fellow at the Center for Digital Government. Previously Morgan was a senior advisor in the U.S. State Department Antiterrorism Assistance Program and senior law enforcement advisor for the 2012 Republican National Convention. Follow him on Twitter @morganwright_us.