New clues show how Russia’s grid hackers aimed for physical destruction

Transmission lines.

Enlarge (credit: Joshua Lott/Bloomberg via Getty Images)

For nearly three years, the December 2016 cyberattack on the Ukrainian power grid has presented a menacing puzzle. Two days before Christmas that year, Russian hackers planted a unique specimen of malware in the network of Ukraine's national grid operator, Ukrenergo. Just before midnight, they used it to open every circuit breaker in a transmission station north of Kyiv. The result was one of the most dramatic attacks in Russia's years-long cyberwar against its western neighbor, an unprecedented, automated blackout across a broad swath of Ukraine's capital.

But an hour later, Ukrenergo's operators were able to simply switch the power back on again. Which raised the question: Why would Russia's hackers build a sophisticated cyberweapon and plant it in the heart of a nation's power grid only to trigger a one-hour blackout?

A new theory offers a potential answer. Researchers at the industrial-control system cybersecurity firm Dragos have reconstructed a timeline of the 2016 blackout attack [PDF] based on a reexamination of the malware’s code and network logs pulled from Ukrenergo’s systems. They say that hackers intended not merely to cause a short-lived disruption of the Ukrainian grid but to inflict lasting damage that could have led to power outages for weeks or even months. That distinction would make the blackout malware one of only three pieces of code ever spotted in the wild aimed at not just disrupting physical equipment but destroying it, as Stuxnet did in Iran in 2009 and 2010 and as the malware Triton was designed to do in a Saudi Arabian oil refinery in 2017.

Read 12 remaining paragraphs | Comments

Obama reportedly ordered implants to be deployed in key Russian networks

Enlarge (credit: Wikimedia Commons/Maria Joner)

In his final days as the 44th president of the United States, Barack Obama authorized a covert hacking operation to implant attack code in sensitive Russian networks. The revelation came in an 8,000-word article The Washington Post published Friday that recounted a secret struggle to punish the Kremlin for tampering with the 2016 election.

According to Friday's article, the move came some four months after a top-secret Central Intelligence Agency report detailed Russian President Vladimir Putin's direct involvement in a hacking campaign aimed at disrupting or discrediting the presidential race. Friday's report also said that intelligence captured Putin's specific objective that the operation defeat or at least damage Democratic candidate Hillary Clinton and help her Republican rival Donald Trump. The Washington Post said its reports were based on accounts provided by more than three dozen current and former US officials in senior positions in government, most of whom spoke on the condition of anonymity.

In the months that followed the August CIA report, 17 intelligence agencies confirmed with high confidence the Russian interference. After months of discussions with various advisors, Obama enacted a series of responses, including shutting down two Russian compounds, sanctioning nine Russian entities and individuals, and expelling 35 Russian diplomats from the US. All of those measures have been known for months. The Post, citing unnamed US officials, said Obama also authorized a covert hacking program that involved the National Security Agency, the CIA, and the US Cyber Command. According to Friday's report:

Read 1 remaining paragraphs | Comments

E-mails phished from Russian critic were “tainted” before being leaked

Enlarge / This fraudulent e-mail was sent in a successful attempt to phish the Gmail password for reporter David Satter. (credit: Citizen Lab)

E-mails stolen in a phishing attack on a prominent critic of Russian President Vladimir Putin were manipulated before being published on the Internet. That's according to a report published Thursday, which also asserts that the e-mails were manipulated in order to discredit a steady stream of unfavorable articles.

The phishing attack on journalist David Satter's Gmail account was strikingly similar to the one that hit Hillary Clinton presidential campaign chairman John Podesta last year. The attack on Satter looked almost identical to the security warnings Google sends when attackers obtain a subscriber's password. Code embedded inside led Satter to a credential-harvesting site that was disguised to look like Google's password-reset page. With that, the site automatically downloaded all of Satter's private correspondence.

Thursday's report from the University of Toronto's Citizen Lab stopped short of saying Russia's government was behind the phishing attack and subsequent manipulation of Satter's e-mail. US intelligence officials, however, have determined that Russia was behind the attacks on Podesta and other Democratic officials. Thursday's report also said the same attack on Satter targeted 218 other individuals, including a former Russian Prime Minister, members of cabinets from Europe and Eurasia, ambassadors, high-ranking military officers, and CEOs of energy companies.

Read 4 remaining paragraphs | Comments

Trump confirms he shared classified intel with Russia’s foreign minister

Enlarge / WASHINGTON, DC - MAY 15: National Security Adviser Army Lt. Gen. H.R. McMaster preparing to make a statement to reporters on May 15 regarding President Trump's sharing of intelligence with Russian officials. (credit: Photo by Jabin Botsford/The Washington Post via Getty Images)

In an Oval Office meeting the day after firing FBI Director James Comey, President Donald Trump shared intelligence provided by an allied nation's sources on an Islamic State plot to bring down passenger airplanes with laptop computers turned into bombs. The intelligence, which was apparently the cause for the US extending a ban on laptops to include flights from Europe earlier this month, had been highly classified because of the sensitivity of its source.

Statements from President Trump on Twitter and from White House National Security Advisor Lt. Gen. H.R. McMaster essentially confirmed these details initially reported by the Washington Post late on Monday. McMaster said that no sources or methods were exposed in the conversation. However, the unnamed officials cited in the Post report were concerned that Trump's citing of the exact location "in the Islamic State’s territory where the U.S. intelligence partner detected the threat" could expose the source. And the sharing of the classified information with Russia's foreign minister and ambassador to the United States was within Trump's purview, as the president holds the ultimate authority over classification of sensitive data and can de-classify information at will. Tuesday morning, Trump tweeted:

Trump also lashed out at the intelligence community for leaking about his actions:

Read 4 remaining paragraphs | Comments