A cyber attack on US infrastructure planned in China is expected soon. The most dangerous weapons in the digital arsenal, once controlled by the US, may be in foreign hands.
By Greg Guma
China is developing the “ability to physically wreak havoc on our critical infrastructure at a time of its choosing… Its plan is to land blows against civilian infrastructure to try to induce panic.”
- Christopher Wray, FBI Director, April 11, 2024
Twelve years after the massive oil drilling disaster in the Gulf of Mexico, experts still weren’t sure how it happened. But according to a detailed analysis, “Cybersecurity and Offshore Oil: The Next Big Threat,” the cause actually may have been cascading cyberattacks that crippled the operations of the rig and started an explosion.
“If the federal government does not take stronger action to secure the country’s oil rigs a cyberattack on an American oil rig — that cripples its functions and causes fatalities, supply disruption, and millions of dollars of damage — is not only probable, but a near certainty,” the report concluded.
Now we know even more. Chinese government-linked hackers have burrowed into critical US infrastructure and are waiting “for just the right moment to deal a devastating blow,” according to FBI Director Christopher Wray. They have gained access to numerous companies in telecommunications, energy, water and other critical sectors, including dozens of pipelines.
How do they do it? By operating a series of botnets — compromised personal computers and servers around the world — that conceal their malicious activities.
In the immediate aftermath of the 2010 spill, experts and politicians immediately dismissed the possibility of a cyber attack. That simply couldn’t happen, they claimed. But even then there were plenty of clues. Sure, based on the first reports, it could have been a “technical failure,” or the result of human error. But labeling it an “accident,” as news outlets insisted, rather than admitting that it might also have been a premeditated attack, was a clear case of avoiding inconvenient reality. Wishful thinking at its mostly deadly.
More then a decade later, it may be too late to prevent such attacks, or a cyber war that could spell the end of democracy.
There was no doubt, for example, about the May 2021 cyber attack on Colonial Pipeline. The company, which operates the largest gasoline pipeline network in the country, was forced to shut down operations due to ransomware. Its pipelines are crucial for the US eastern seaboard, transporting more than 2 million barrels a day — about 45 percent of fuel used on the East Coast. The attackers — identities still unknown — used a group called DarkSide, which has targeted other companies.
The same thing happened in October 2020 to the UVM Health Network, which runs six hospitals in Vermont and New York. In the midst of the COVID-19 pandemic UVM lost access to scheduling systems and patient information, and was forced to cancel many elective procedures. Ransomware attacks like this are becoming commonplace. According to Christopher Krebs, the former Homeland Security official ousted by former president Trump, “We are on the cusp of a global digital pandemic driven by greed.”
As I explained in a 2010 article, still available on multiple websites, the summer before the 2010 Gulf oil spill Foreign Policy posted an article citing credible research and directly warning oil companies worldwide that their offshore rigs were highly vulnerable to hacking. As Richard Clarke explained in his book Cyber War, “Computer commands can derail a train or cause a gas pipeline to burst.”
In early 2009, I noted, a 28-year-old contractor in California was charged in federal court with almost disabling an offshore rig. Prosecutors said the contractor, who was allegedly angry about not being hired full time, had hacked into the computerized network of an oil rig off the coast, specifically the controls that detected leaks. He caused some damage, but fortunately not a leak.
In January 2010, the Christian Science Monitor reported that at least three US oil companies had been targets of a series of cyber attacks. In these cases, the culprit was most likely a person or group in China. The incidents, kept secret for two years, involved Marathon Oil, ExxonMobil, and ConocoPhillips. The companies didn’t realize how serious their problem was until the FBI alerted them. Federal officials said that proprietary information – email passwords, messages, and information linked to executives – had been flowing out to computers overseas.
The companies wouldn’t comment, or even admit the attacks had happened. But the Monitor persisted, interviewing insiders, officials and cyber attack experts, and ultimately confirmed the story. Their overall conclusion was that cyber-burglars, using new spyware that was almost undetectable, posed a serious and potentially dangerous threat to private industry. An era of cyber warfare had clearly begun. But most people were mesmerized by the allure of social media and the Internet.
As Clarke noted in his book, many nations were already conducting Internet espionage and sometimes even cyber attacks. Several of the most aggressive were China, Russia, and North Korea.* Spying on defense agencies and diplomats was a major focus, but strategically important businesses and other countries were also being targeted. Google claimed that it had found evidence of at least 20 companies that were infiltrated from China. According to a report in the Wall Street Journal, “logic bombs” had been infiltrated into the US electric power grid. They could operate like time bombs.
On oil rigs, the advent of robot-controlled platforms made a cyber attack possible with a PC anywhere in the world. Control of a rig could be accomplished by hacking into the "integrated operations" that link onshore computer networks to offshore ones. But no one would admit that it had already happened, despite confirmation that computer viruses were causing personnel injuries and production losses on North Sea platforms.
The problem was that even though newer oil rigs had cutting-edge robotics technology, the software that controlled their basic functions was still old school. Most relied on supervisory control and data acquisition (SCADA) software, which had been created in an era when "open source" was more important than security,
"It's underappreciated how vulnerable some of these systems are," said Jeff Vail, a former counterterrorism and intelligence analyst with the US Interior Department who talked with Greg Grant, author of the Foreign Policy article. "It is possible, if you really understood them, to cause catastrophic damage by causing safety systems to fail."
The name of the piece, by the way, was “The New Threat to Oil Supplies – Hackers.” It sounded a lot like “Bin Laden Determined to Strike Inside the US.”
Unusual Suspects
Who would do such a thing? The Right, of course, was quick to blame environmentalists or “eco-warriors,” accusing them either of trying to punish big oil or build pressure for stricter regulations. But there were other, more likely candidates, including extortionists who hoped to blackmail big pocket companies or foreign governments. By 2010, between 20 and 30 countries had cyber attack capabilities. The motives for a government-sponsored attack included a strategic move to change the balance of global oil reserves, or a preemptive strike by a country that felt threatened or had a bone to pick.
Some circumstantial evidence at the time pointed toward North Korea. The Deepwater Horizon oil platform was built and financed by South Korea’s Hyundai Heavy Industries Co. Ltd. Thus, its destruction could hurt both the company and the country’s economy. In July 2009, North Korea was also the main suspect when a series of attacks paralyzed websites of the US and South Korean government. Known as a Distributed Denial-of-Service (DDOS) attack, this one hit on July 4th, targeting computers at the White House, the Pentagon, and the New York Stock Exchange. The websites of the Department of Transportation, the Treasury Department and the Federal Trade Commission were shut down for days.
South Korean targets included the presidential Blue House, the Defense Ministry, the National Assembly, Shinhan Bank, Korea Exchange Bank and the country’s top Internet portal. The attacks coincided with North Korea’s anticipated testing of a long-range missile with the potential to hit Hawaii. That missile was never launched, but several scud missiles were fired.
There were other examples of cyber warfare allegedly orchestrated by a state against a rival government. Russia, for example, was implicated in attacks aimed at Georgia and Estonia. A 2007 cyber attack on Estonia crippled its parliament, banks, ministries, phone systems, newspapers and broadcasters. The reason was allegedly a dispute over the relocation of war graves and a Soviet-era grave marker. Russia denied responsibility, but an ethnic Russian Estonian was tried and convicted for being involved.
Dark Realities
The US government’s failure to address private-sector vulnerability to cyber attacks goes back decades and continues to this day. Even the Obama administration hesitated to challenge the status quo. Given the vulnerability of crucial infrastructure and much of the private sector, surprisingly little has been done to prepare for what looks inevitable.
A US Cyber Command was established in 2009, and various branches of the military developed their own offensive capabilities. By 2012, under orders from Obama, and with a budget that had reached $14 billion, intelligence officials produced a list of foreign targets — systems, processes, and infrastructure. Attempts were also made to guard federal infrastructure. But not even the Department of Homeland Security took responsibility for protecting the private sector. According to Janet Napolitano, then DHS Secretary, legal and privacy issues were in the way of having the government monitor the Internet or business operations for evidence of potential cyber attacks. Businesses were wary of any regulation that might accompany government help.
Though cyber attacks certainly happened, many left no obvious trace. As Clarke explained, corporations tended to believe that the “millions of dollars they have spent on computer security systems means they have successfully protected their company’s secrets.” Unfortunately, they were wrong. Intrusion detection and prevention systems sometimes failed.
Nevertheless, no federal agency assumed responsible for defending the banking system, power grids or oil rigs from attacks. The prevailing logic was that businesses should handle their own security. Yet their experts readily admitted that they wouldn’t know what to do if an attack came from another nation, and assumed that defense in such a case was the government’s job.
The US was suffering from “a conspiracy of secrecy about the scale of cyber risk,” James Fallows wrote in a March 2010 article for the Atlantic. Companies simply could not admit how easily they could be infiltrated. As a result, the changes in law, regulation, or habits that might increase safety weren’t often discussed. But sooner or later, Fallows warned, “the cyber equivalent of 9/11 will occur—and, if the real 9/11 is a model, we will understandably, but destructively, overreact.”
A decade after planes hit the Twin Towers and Pentagon, offense had outpaced defense in the cyber arms race, and much of the best talent had gone private. The US remained a major buyer, but India, Brazil, Malaysia, Singapore, North Korea, Iran and Russia were also competing for the best weapons. Middle Eastern intelligence services emerged as the biggest non-US spenders. By 2013, the private market was bringing in $5 billion. And that didn’t include cash flowing freely in the largely criminal underground.
Why was this happening? In part, it was about the money. Although many hackers were obsessed with the thrill of the cyber game and some were motivated by principle — the desire to protect people and their privacy, others just wanted to get rich quick. But beyond that, it was also political: the stark difference between democracy and autocracy. The US doesn’t conscript talented hackers; the Russians, Iranians, North Koreans, and Chinese do. Either serve the state or go to jail.
Eventually, Russia moved ahead of other countries, including the US, in terms of sophistication. According to Nicole Perlroth, in her startling book This Is How They Tell Me the World Ends, Russian hackers infiltrated the Pentagon, White House, Joint Chiefs of Staff, and State Department, among others. In one attack, Russian hackers, posing as Islamic Fundamentalists, took a dozen French TV stations off the air. They were caught dismantling controls at a Saudi petro-chemical company. They manipulated the Brexit referendum, hacked the American grid, and meddled in both the French and US elections. During the same period, they also tested an advanced cyber arsenal in Ukraine.
Soon a group of hackers — identities still unknown — began to steal the American cyber arsenal** of the National Security Agency, and offered these tools and code to any country, terrorist of cybercriminal able to pay. One buyer was Russia. In June 2017, it used them on Ukraine, in what Perlroth describes as “the most destructive and costly cyberattack in world history.” Every screen turned black. People couldn’t get money from ATMs, pay for gas, send or receive email, buy groceries, get paid, or even monitor radiation levels at Chernobyl.
And the attack wasn’t restricted to Ukraine. It also hit any company that did business there, including Pharma giants Pfizer and Merck, the shipping conglomerate Maersk, FedEx, even the Cadbury chocolate factory in Tasmania.
What saved Ukraine, in the end, is precisely what makes the US the most vulnerable nation on earth. It wasn’t fully automated! In other words, its critical infrastructure was not yet “web-enabled.” It also had another advantage — a sense of urgency. After being attacked by Russia for years, it knew that survival depended on cyber vigilance. Thus, when Ukrainians elected a new president in 2019, they voted on paper. No fancy machines. Every ballot was counted manually.
A Digital Pandemic
“They may have stopped short of hacking the final vote tallies” in 2016, Perlroth writes, “but everything they did up to that point, American officials conclude, was a trial run for some future attack on our elections.”
In May 2021, Colonial Pipeline was the target. Eight months earlier, it was the UVM Health Network and other hospital systems. In Vermont and elsewhere, the culprit was a botnet called TrickBot, whose developers were based in Moscow and St. Petersburg, according to a detailed account in Perlroth’s book on cyber warfare. By that September, she documents, TrickBot was selling access to targets in both Europe and the US, including Florida, Georgia courts, and state agencies in Louisiana. In response, the US Cyber Command hacked into TrickBot and tried to neutralize the attacks.
This worked, but only briefly. A week later, TrickBot ransomware was back, and Cyber Command had to strike again. This time the goal was also to send a message: We’re watching you, and if you come after our election, we’ll take you out. A similar warning was issued to Iran. In the following weeks, Microsoft went to federal court on a related matter, accusing cybercriminals of violating copyright law by using its codes for malicious purposes. The objective was to force web hosting providers to take TrickBot offline. It appeared to work.
But wounded animals can be dangerous. In this case, TrickBot’s Russian operators retaliated by attacking US hospital systems, including the UVM Health Network. One by one, in the days leading up to the election, just when hospitals were seeing spikes in coronavirus cases, more than 400 were hit by ransomware. In a private exchange, later captured by a cyber threat researcher, a Russian hacker explained, “We expect panic.”
In response, the FBI and other agencies arranged an emergency call with administrators in the targeted hospitals, explaining what was happening and how to handle it. But the damage was done. The attacks interrupted treatments, reduced staffs to pen and paper, and diverted resources. And it was also part of a larger strategy, what was eventually labeled a “perception hack.” The idea is that multiple smaller attacks can be amplified and ultimately become evidence to support the idea that the election itself was unsound — “rigged.” On Election Day, there were some snags, like the suspicious water main break in Georgia that delayed vote counting in Atlanta. But larger attacks didn’t materialize.
Some experts and researchers claim that the coordinated US response, by government and the private sector, created an effective deterrent. Evidence for this view includes a statement by President Putin, issued just before the US election, calling for cyber “reset.” But others suggest a less optimistic reason there wasn’t more interference: Putin decided the job was done. Russian trolls no longer needed to stir up discord and chaos. Now, led by Trump, there were lots of elected officials and millions of citizens ready and willing to help. So, mission accomplished.
The attack cost Vermont’s hospital between $40 million and $50 million, mostly in lost revenue. Apparently no ransom was paid. Yet almost a year later Doug Gentile, senior VP of network information technology at the medical center, mistated the case. “There was no specific ransom note,” he said, “no specific dollar amount or anything like that, it was just: ‘here’s how you contact us.’” Yet he also claimed, “The motive here was clearly money, nothing else.” Based on his account, however, and especially on what has been revealed since October 2020, this doesn’t make sense.
While alarm about the implications of the attempted coup on January 6, 2021 is certainly warranted, most Americans, as well as their elected representatives, still haven’t noticed the handwriting on the wall. The most dangerous cyber-weapons, once controlled by the US, are now in foreign hands. There are hackers inside our hospitals and the power grid. They probe computer networks millions of times a day, and make this so-called superpower extremely vulnerable to a Cyber Pearl Harbor.
Two decades after 9/11, it’s far easier to sabotage the software of a fighter jet — or a passenger flight — than physically take the controls and crash it into a building. The warnings began years ago. Even now too few are listening.
* Those who feel I am unfairly accusing these nations would do well to conduct some serious research. China and Russia have been advanced players for at least four decades, later joined by DPRK. Among experts in this field, as distinct from ideologues, there is no dispute. Nicole Perlroth’s 2021 book, This Is How They Tell Me the World Ends: The Cyber-Weapons Arms Race, provides a definitive, well-documented history.
** The US government was among the first to develop cyber weapons. As Fred Kaplan noted in his riveting book Dark Territory: The Secret History of Cyber War, at least twenty nations were already in the game before 2016. At that point the focus turned to Russia's "hybrid warfare," the weaponizing of hacked documents to influence the presidential race. But information war began much earlier, including the US-NATO campaign against Serbian president Slobodan Milosevic. The first major cyber attack, a US-Israeli operation called Olympic Games, was directed at Iran's nuclear program. Later known as Stuxnet, it involved a cyber worm that destroyed a quarter of Iran's centrifuges and set back its nuclear program by several years. The trouble with waging cyber war, warned Kaplan, is that "what we can do to them, they can someday do to us." It's a type of blowback, and did eventually happen. In an afterword written after the 2016 election, he pointed beyond the Russia-Trump operation to the next threat -- denial-of-service attacks executed by thousands of household devices. "There are now about 10 billion Iot (Internet of Things) devices in the world," Kaplan concluded. "Some estimate that, by 2020, there will be 50 billion. That's a lot of bots to be enslaved for a cyber war."
