Did Ukraine power grid hack give Russia an edge?

At an Atlantic Council event Thursday, experts said that a Ukrainian power outage allegedly triggered by Russian hackers may be just a small piece of Moscow's cybersecurity strategy.

An employee speaks on the phone inside a switchboard room of the Trypillian thermal power plant, part of Centrenergo company, in Kiev region, Ukraine, February 11, 2016.

Valentyn Ogirenko/Reuters

April 15, 2016

If Russian hackers did shut down swaths of Ukraine’s power grid last year, as US officials have claimed, it may be just one piece of Moscow's strategy to integrate cyberattacks into future military efforts.

At an Atlantic Council event Thursday, experts said the attack – the first known digital strike that helped trigger widespread outages – represents just one part of Russia's strategy in the Ukraine conflict that has previously included the use of espionage and denial-of-service attacks. The full video of the event is available here

Despite concerns that the Ukraine grid attack, which shut power to 80,000 homes in three separate Ukrainian regions, is a harbinger of more spectacular strikes against critical infrastructure, hackers may not have that ability for some time, say experts.

Iran hacking indictment highlights US naming and shaming strategy

"In the end, 225,000 people lost power for six hours," said Martin Libicki, senior management scientist at the RAND Corporation. "In PEPCO’s heyday, they used to be able to do that without even blinking," referring to a Washington-area power supplier.

The panel’s skepticism about the attack has echoed official assurances about grid resilience against hacks.

On Thursday, Gerry Cauley, president of the North American Electric Reliability Corporation (NERC) – which assures the reliability of US power – testified in the House Transportation Committee that cyberattacks could not alone cause a long-term shutdown of the grid. But some experts think NERC’s plan to protect critical infrastructure exempts many small power distributors connected to the grid, leaving the US grid vulnerable to attack.

"If the goal of the bad guys is to shut down the US, they’re going to try to cut off the power," said Rep. Lou Barletta (R) of Pennsylvania at Thursday's hearing. 

But with Russia and Ukraine both playing down the conflict, experts at Atlantic Council said that another major attack against critical infrastructure is not likely.

Tracing fentanyl’s path into the US starts at this port. It doesn’t end there.

"Until Christmas, there was no attempt to carry out a cyber attack against any piece of the critical infrastructure," said RAND Corporation's Mr. Libicki, adding that there’s "no information at this point that there’s been a cyberattack against military systems."

In fact, most hacks related to the conflict, which began after pro-Russian militants occupied Crimea in February 2014, have been focused on stealing sensitive data, defacing websites, and denying service to Internet users.

Russian spies have reportedly used signals intelligence platforms to gather location data from mobile devices and Wi-Fi networks operated by Ukrainian troops. CyberBerkut, a pro-Russian hacktivist group, has also attempted to breach Ukrainian networks to leak embarrassing data about political figures. 

If Russia did have a hand in the grid hack, which many suspect because of the use of “BlackEnergy” malware connected to a criminal group with ties to Moscow – it may have been to confuse adversaries about its use of hacking tactics.

"I think Russia benefits from [cybersecurity] being foggy and mythic and tries to ensure that it’s foggy and mythic," said Jeffrey Mankoff, a senior fellow at the Center for Strategic and International Studies, adding that the attack on the Ukrainian power grid may have been a signal designed to add to speculation about Russia’s capabilities.

But because many Russian hackers might be attracted to intelligence work or the lucrative criminal underworld, military cyberattacks may not have much of an impact, said RAND’s Libicki. "We may have overestimated a lot of what cyberwar can do."

That means that future cyberattacks in the conflict – and coming from Russia – could fly under the radar. "Lawyers are saying, 'If nobody dies then nobody cares,' " said Kenneth Geers, a nonresident fellow at the Atlantic Council.