Text size
Fuel storage tanks connected to the Colonial Pipeline system, which was the target of a ransomware attack last year.
Samuel Corum/Bloomberg
Amid the most dangerous geopolitical period in decades, President Joe Biden warned U.S. business executives this past week about the threat of Russian cyberattacks, pleading with them to do more to prepare. To understand why the White House is so anxious about the Russian cyber threat, it’s important to revisit a 2017 hacking incident that never got enough attention.
NotPetya, as it was known, was malware used by Russian military hackers to attack Ukraine, but its impact went far beyond the intended target. The malware was uploaded as an update to commonly used Ukrainian tax-preparation software and spread rapidly from there. The U.S. estimated damages of some $10 billion to multinational companies. In 2019,
FedEx
CEO Fred Smith called NotPetya “the largest single attack by a state-sponsored entity in the history of the world.” And it could happen again.
Biden’s latest warning of “evolving intelligence” around Russian cyberattacks underlines the immense risks to an economy dominated by digital systems. Think of our digital economy as a building with 30 billion doors, many with flimsy locks, or none at all.
CISA, the U.S. Cybersecurity and Infrastructure Security Agency, has warned that Russian state-sponsored actors have targeted industries ranging from energy and healthcare to banking and critical manufacturing, along with governments and election organizations. They see risks to underwater cables, satellite communications systems, and industrial controls. Unfortunately, there are precedents, including last year’s Colonial Pipeline ransomware attack, the 2020
SolarWinds
software supply-chain incident, and the 2016 hack of the Democratic National Committee.
While no such attacks have surfaced since the start of the Ukraine war, U.S. officials see evidence Russian actors are scanning American networks, hunting for vulnerabilities. Because the private sector controls the vast majority of U.S. infrastructure—the power grid, communications services, pipelines, water systems, and hospitals—defending against digital armageddon depends on the thousands of companies that drive the U.S. economy.
This past week, I reached out to executives at leading cybersecurity companies and asked them to assess the threat. Here’s what they said:
The lack of meaningful attacks so far doesn’t mean much. Ukraine’s surprising defense capabilities and unified sanctions from the West could push Russia to get more aggressive from a cyber perspective. Tom Glocer, executive chairman of the venture-backed cybersecurity firm BlueVoyant, says it would be an error to conclude that Russia’s cyber expertise was overrated. “We have not seen what they are capable of yet,” he says. “It means our clients need to be on guard.”
Some economic sectors are better prepared than others. John Hultquist, vice president of intelligence analysis at the cyber breach response firm
Mandiant
(ticker: MNDT), now being acquired by
Alphabet
(GOOGL) for $5.4 billion, says that the financial-services and oil and gas sectors are “the most mature security players in the game,” and the earliest adopters of advanced security practices. They are “thinking about Russian threats all the time,” he says, noting that prior attacks have amounted to a multiyear ongoing test of corporate security systems.
Attacks don’t have to be sophisticated to be effective. Russian actors “rely on fairly mundane techniques and tactics,” says Nicholas Warner, chief operating officer at
SentinelOne
(S), a cyber threat detection company. It’s all the more reason to engage in “basic hygiene,” he says, like training employees to report unusual network behavior and patching software. “Commercial software has known vulnerabilities. Malware actors know this. Doing these things greatly reduces the threats.”
Michael Sentonas, chief technology officer at
CrowdStrike Holdings
(CRWD), says the widespread advice to patch vulnerable software is often easier said than done. “It’s a huge problem. We see this constantly, where there are vulnerabilities that have had a patch available for months and haven’t been fixed. Sometimes there are worries that a patch will break a machine. And it’s never just one patch.” More than 60% of the time, Sentonas says, attacks don’t involve malware—hackers can use stolen credentials or other simple ways to enter weakly protected networks.
There are risks of real-world effects. BlueVoyant’s Glocer notes that some infrastructure—like water purification and power plants—have older technology that wasn’t originally designed with network connectivity in mind. He sees risks that Russia goes after embedded systems in industrial equipment—and points to the Stuxnet attack on Iran’s nuclear program as a demonstration of what’s possible. “You can do physical damage in the real world,” he says. “If you can shut down the power grid, you can have maximum impact on the people in a given area.”
Russian hackers won’t trigger World War III. Nick Biasini, head of outreach at Cisco Talos,
Cisco
’s
(CSCO) threat intelligence arm, says Russia will seek to “cause pain in chaos,” but in a way they can ease off quickly.
“Nobody should panic,” adds Mandiant’s Hultquist. Most of the potential attacks are “nonviolent and reversible,” he says, “which is why they’re on the table.” He thinks the Russians are looking for ways to respond to sanctions that don’t trigger “kinetic” retribution involving real world weaponry.
In the current climate, that might actually be reason for optimism.
Write to Eric J. Savitz at eric.savitz@barrons.com
