DNI: Russians Hacked U.S. Industrial Control Nets

Moscow setting up cyber command, warfare units

September 16, 2015

Russian hackers penetrated U.S. industrial control networks that run critical infrastructures like the electrical grid, according to Director of National Intelligence James Clapper.

Clapper, in little-noticed testimony before Congress last week, also disclosed that Moscow has formed a cyber military command and a special hacker unit as part of preparations for future cyber warfare.

In addition to Russia, the intelligence chief singled out China, Iran, and North Korea as the primary nation states capable of conducting sophisticated cyber attacks and espionage.

"Politically motivated cyber attacks are now a growing reality, and foreign actors are reconnoitering and developing access to U.S. critical infrastructure systems, which might be quickly exploited for disruption if an adversary’s intent became hostile," Clapper said in prepared remarks for the House Permanent Select Committee on Intelligence.

The testimony on Sept. 10 represents a break from past public testimony on cyber threats. Previous intelligence statements and testimony limited public mention of explicit links between nations and their cyber strikes.

Clapper revealed that Russian cyber warfare specialists are developing the capability to remotely access industrial control systems used in managing critical infrastructure.

"Unknown Russian actors successfully compromised the product supply chains of at least three [industrial control system] vendors so that customers downloaded malicious software designed to facilitate exploitation directly from the vendors’ websites along with legitimate software updates…," Clapper stated.

The Washington Free Beacon first reported in October 2014 that Russian hackers had penetrated industrial control networks for water and energy systems.

The hacking was disclosed in a Department of Homeland Security alert to industry.

The Russian link to network penetrations involved use of malware known as "BlackEnergy," which was traced to a Russian government cyber attack operation called "Sandworm" by security researchers.

Russia’s defense ministry is setting up a cyber command that will conduct offensive cyber activities. The military cyber operations include propaganda operations and planting malware into enemy command and control systems. The Russian military is also creating a specialized branch for computer network operations.

Clapper said the command is similar to the U.S. Cyber Command.

Asked whether the Chinese have a similar cyber command, Clapper said during a committee hearing that he did not believe the People’s Liberation Army has a similar cyber command. But he noted that "the Chinese, as you know, have very capable structure and apparatus in their current PLA staff structure."

Rep. Mike Pompeo (R., Kan.), a member of the intelligence committee, said critical infrastructure networks are vulnerable to Russian cyber attacks.

"The risk from penetration of these critical industrial systems by Russian actors is very real and very serious," Pompeo said. "The same country that invaded Ukraine and is now putting tanks in Syria is conducting reconnaissance of U.S. Industrial infrastructure. We must do more to stop Putin’s aggression."

Clapper concluded the prepared testimony by stating that "cyber threats to U.S. national and economic security are increasing in frequency, scale, sophistication, and severity of impact. The ranges of cyber threat actors, methods of attack, targeted systems, and victims are also expanding."

A large number of cyber actors "remain undeterred from conducting economic cyber espionage or perpetrating cyber attacks," he said.

Clapper also noted that the motivation for cyber attacks and cyber espionage "will probably remain strong because of the relative ease of these operations and the gains they bring to the perpetrators."

"The muted response by most victims to cyber attacks has created a permissive environment in which low-level attacks can be used as a coercive tool short of war, with relatively low risk of retaliation," Clapper said.

The comment reflects a recent classified intelligence estimate that U.S. officials say concluded that cyber attacks were likely to continue unless a greater response to the attacks is made by the government.

Recent major attacks have targeted the Office of Personnel Management system and involved the theft of sensitive records on some 22 million federal workers.

The financial company JPMorgan Chase also was hit with denial-of-service cyber attacks. The company is spending more than $250 million to bolster security.

Hackers from China also breached the networks of the U.S. company Community Health Systems and obtained records on 4.5 million people.

Russia is among four categories of cyber threat actors identified by Clapper in the testimony, including "highly sophisticated" hackers like those in Russia and China, less technically capable states like Iran and North Korea, cyber criminals, and ideologically motivated hackers and terrorists.

The hackers often belong to multiple categories, making it difficult to track the origin of digital network attacks.

Chinese cyber espionage is continuing to target a broad spectrum of targets, including national security information, sensitive economic data, and intellectual property, Clapper said.

"Although China is an advanced cyber actor in terms of capabilities, Chinese hackers are often able to gain access to their targets without having to resort to using advanced capabilities," he said.

Iranian hackers were linked to denial-of-service attacks against U.S. financial institutions between 2012 and 2013, as well as a cyber attack on the Las Vegas Sands casino.

The Iranians also were linked to cyber attacks in December 2014 targeting computers involved in U.S. military, transportation, public utility, and other critical infrastructures.

Tehran’s hackers regard cyber attacks as "one of many tools for carrying out asymmetric but proportional retaliation against political foes, as well as a sophisticated means of collecting intelligence," Clapper said.

North Korea’s hacking has been used for achieving political objectives. A November 2014 cyber attack on Sony Pictures Entertainment that involved theft of corporate data and hard-drive erasing malware was said to have been motivated by the company’s planned release of The Interview, a film depicting the assassination of President Kim Jong-un.

Asked about the Russian cyber capabilities, Rep. Devin Nunes (R., Calif.), the chairman of the House Intelligence Committee, said it is no secret that various nations and non-state hackers want effective cyber weapons.

"While I can’t comment on specific threats, I can tell you that the threat is growing every day and the United States is wholly unprepared for it," Nunes said.

"The cyber bill passed by the House is a big step forward, and the Senate should act on it."

The Cybersecurity Information Sharing Act has passed the House and is awaiting Senate action.

In the non-state cyber arena, cyber criminals are reaping cash from attacks on online markets and retail stores.

"The most significant financial cyber criminal threats to U.S. entities and our international partners can be attributed to a relatively small subset of actors, facilitators, infrastructure, and criminal forums," Clapper said.

Clapper downplayed the relative threat from hacking by terrorist groups, compared with other kinds of cyber threats.

"Terrorist sympathizers will probably conduct low-level cyber attacks on behalf of terrorist groups and attract attention of the media, which might exaggerate the capabilities and threat posed by these actors," Clapper said.

The Islamic State terrorist group has been conducting strategic social media campaigns to spread propaganda and recruit members since last summer.

A new trend for cyber threats is a possible future shift from theft and denial-of-information attacks to cyber operations designed to fool or mislead government and private-sector decision makers.

"In the future, we might also see more cyber operations that will change or manipulate electronic information in order to compromise its integrity (i.e., accuracy and reliability) instead of deleting it or disrupting access to it," Clapper said.

Foreign spies also are leveraging the Internet in an effort to identify the intelligence agents of other nations.

"Foreign intelligence agencies could target the individual, family members, coworkers, and neighbors using a variety of physical and electronic methods," Clapper said.

A "great concern" is that Chinese intelligence will exploit the masses of data taken from the Office of Personnel Management and other large-scale data theft to learn the identities of intelligence officers working abroad, he said.