Hacker Bear

On March 16, 2018, a Kremlin troll persona called Kanisha Jackson posted this to her Twitter account:

Russia has successfully launched a cyberattack on our nuclear power grid, has compromised the grid, and can shut it down at will.  And we have a "president" who still hasn't imposed sanctions on Russia!

“Kanisha” was playing the part of a progressive American, and she had a large following of actual progressive Americans. Trolls in that category do what they can to get people on the left worked up in order to fan the flames of discord, and one way to do that in March of 2018 was to play on their fears about Trump’s relationship with Russia.

This tweet seems to have done a nice job of that, having gotten 254 “likes” and 148 retweets out of the troll’s followers, but it also had a secondary objective: to make Russia look more powerful than it is.

What really happened

Russian hackers poked around in the systems of various entities in the aviation and energy sectors, as they often do. CISA (Cybersecurity and Infrastructure Security Agency) issued an alert, as it often does, explaining everything that the hackers did in mind-numbingly technical detail. It also described exactly how the hackers did what they did, as well as the steps they took to cover their tracks (obviously without much success).

The report includes names of files, lines of code, and variations in technique for different operating systems. It details what was new about the hack as well as methods that this group had used previously, and it supplies instructions for cybersecurity people to address the problem within their organizations’ systems and to protect against it in the future. It ends with a lecture on good cyber hygiene.

In other words, while nuclear facilities were among the target groups, hackers did not ever have the ability to shut down a plant. And there is no such thing as a nuclear power grid. That was just “Kanisha” not being especially familiar with the English word grid.

Nuclear jpeg.jpg

Is it time to panic yet?

In his 2019 book Sandworm, about one of Russian hackers’ biggest successes, Andy Greenberg commented on the hack that the troll tweet and the CISA alert were referring to, striking a somewhat alarmist tone (see Chapter 33). Greenberg wanted us to understand that this type of thing is a real threat, as Russia is the only country to date that would, could, and has used hacking to cut the power to a large portion of a foreign country. That country was Ukraine, and some 225,000 people there experienced a blackout in December of 2015.

But then, the difference between causing a blackout in Ukraine and shutting down the totality of American nuclear power is vast, like the difference between walking to the store and climbing Mount Everest. Not only are the basic tasks not in the same category of difficulty, but Ukraine is Russia’s next-door neighbor, both geographically and culturally. That makes Ukraine easier for Russians to spy on and infiltrate. The Ukrainian language is also closely related to Russian, making it simpler for hackers to do things like navigating a network and understanding a cache of stolen emails.

Material disruption

Much of Greenberg’s alarm seems to have come from a conversation he had had with someone who worked for the anti-virus company Symantec, but the company’s report on the topic had a more measured tone. It concluded that the hacker group “is a highly experienced threat actor, capable of compromising numerous organizations, stealing information, and gaining access to key systems. What it plans to do with all this intelligence has yet to become clear, but its capabilities do extend to materially disrupting targeted organizations should it choose to do so.” The report was careful to note that Symantec customers were protected against the hackers’ activities.

The troll, Kanisha, tweeted that the Russians had compromised the “nuclear power grid” and could “shut it down at will.” That’s not what “materially disrupting targeted organizations” means.

Of course, material disruption is nothing to sneeze at, which is why ransomware attacks are so popular. In this type of cyberattack, an intruder gets control of an organization’s systems and/or data and holds them hostage, hoping to receive a ransom payment. For instance, in October of 2020 a group of Russian hackers attacked the systems of several American hospitals. Only one of the hospitals said they got a ransom demand, but the attacks resulted in delays in patient care, headaches all around and significant financial costs. On the other hand, those hospitals probably won’t be skimping on IT security and infrastructure any time soon, so there is a silver lining.

The bummer for Putin is that his cyber soldiers reveal their methods every time they attack, so these frequent intrusions require them to continuously change up their methods. Either that or they have to stick to harvesting low hanging fruit like, say, an email about the menu for a lunchtime meeting or an Excel file with a name like Copy of Copy of Copy of Book1.

Imagine that you’re standing on the edge of a field staring at haystacks. Each one is taller than you are. They are separated from each other by paths just wide enough for a person to get through, and the field of haystacks stretches to the left and the right and straight ahead all the way to the horizon. Somewhere in one of those haystacks there may or may not be a small golden object of unknown nature, and it is your job to find it … should it exist. Oh, and your boss is standing behind you with a Kalashnikov.

Remember how Symantec wondered what the Kremlin was going to do with “all this intelligence” collected by the hackers? Just picture the haystack scenario, and you’ll have some idea of what it’s like to be a Kremlin office worker wondering the same thing as Symantec.

Did someone say sanctions?

In October of 2020, six members of the GRU (Russian military intelligence) – from Military Unit 74455, to be precise – were indicted by the U.S. Depart of Justice on charges of destructive hacking. It listed not only an incident that occurred in the Western District of Pennsylvania where the indictment was filed, but crimes committed all over the world, including those that had targeted Ukraine’s power grid.

These individuals will never be tried for their crimes, unless they are imprudent enough to set foot in the U.S., but that isn’t the purpose of the indictment. It is part of western nations’ broader name-and-shame strategy. The indictment includes the names of the agents, the address of their office in Moscow, and an exhibit showing yearbook quality photos of the agents. It also details what the hackers did and how they did it.

This approach has two major benefits. For one, it demoralizes the perpetrators by revealing that their identities, activities, and methods are known, forcing them to constantly be looking over their shoulders. Just as importantly, making the details public provides documentary proof of what was done, so no one has to take the government’s word for anything, which makes it harder to successfully mount a disinformation campaign on the topic.

“Kanisha” complained that the Trump administration hadn’t imposed sanctions on Russia. But in reality, on March 15, 2018 – the same day that the CISA alert was issued and the day before the tweet – the Treasury Department did impose sanctions [U.S. Treasury Department, Office of Foreign Assets Control, “Changes to the Specially Designated Nationals and Blocked Persons List Since January 1, 2018” p.41]. It added twenty-two more Russian people and organizations to the sanctions list that was started under the Obama administration when Russia annexed the Ukrainian territory of Crimea.

So, the troll lied to her followers, and Russian hackers have been clumsily infiltrating American computer networks like there’s no tomorrow. Perhaps the Kremlin’s primary objective is simply to put us on edge.

Energetic bear

“Energetic Bear” is one of many nicknames for the hacker group responsible for the March 2018 infrastructure attacks. If Kanisha’s tweet is anything to go by, the troll farm has, in turn, been busy supporting Energetic Bear by overstating its capabilities, making it seem scarier than it is.

CyberCom seems to have noticed this pattern. If you think of CISA as our cyber defense organization, then CyberCom would be our cyber offense. It is notable, for instance, for having cut off the internet access to the Kremlin troll farm during our 2018 midterm elections.

More recently, CyberCom agents went on the attack against Energetic Bear, and it used a tool that has proved particularly effective against dictatorships: humor. They published a cartoon of a bear in Russian military clothing spilling its pail of Halloween candy, each piece labeled with the name of a piece of Russian hacker malware. Adding irony to insult, they posted it on Twitter, one of the troll farm’s favorite stomping grounds.