A leaked US intelligence assessment includes a stark reminder of the threat hackers can pose to critical infrastructure.
The assessment, which focuses primarily on Ukraine’s military effort against Russian forces and is believed by a senior US official to be authentic, includes a warning that Russian hacktivists broke into a Canadian gas infrastructure company earlier this year and were instructed of Russian intelligence.
That access could provide a way to cause significant damage and possibly an explosion, the assessment notes. Such an attack is considered extremely difficult to carry out, but it remains one of the intelligence community’s worst fears. And while such major attacks have yet to be found, experts say they are an ever-present threat.
“This is not the first time someone has gained access to critical infrastructure,” he said. John Hultquist, the vice president of threat intelligence at Google-owned cybersecurity firm Mandiant. “It happens constantly. Russian intelligence services do it all the time.»
The hacktivists, a Russian-speaking group called Zarya, broke into the computer network of an unidentified Canadian gas distribution facility in February and sent the Russian intelligence agency FSB screenshots of what it claimed were controls «to increase valve pressure, disable alarms and initiate an emergency operation [that] it would cause an explosion,” says the US assessment.
NBC News has not verified that claim and it is unclear which company was involved. The official also said that some of the documents may have been altered before they were posted online, although this part of the assessment shows no obvious signs of change.
“If Zarya is successful, it would be the first time IC has observed a pro-Russia hacking group execute a disruptive attack against Western industrial control systems,” the assessment reads, using an intelligence community abbreviation.
No such disaster appears to have occurred. But the assessment illustrates how the US worries about destructive attacks on Western energy infrastructure and how Russian intelligence can trust domestic criminal hackers to work for them.
The assessment, marked Top Secret, comes from a cache of more than 50 pages of classified documents that have appeared online in recent days after languishing in dark corners of the Internet. US officials have declined to comment on the authenticity of specific documents, but one official told NBC News that they appear real. It is unclear who originally leaked the documents or why.
Zarya’s assessment was first reported by journalist Kim Zetter. A spokesman for the Russian embassy in Washington did not immediately respond to a request for comment.
In general, the US sees espionage hacking as a common tactic used by all parties, while cyberattacks that cause physical destruction are seen as dramatically escalating.
“I think the big issue here is whether or not they decide to take advantage of that access for some kind of disruptive or destructive attack,” Hultquist said.
The Canadian Center for Cyber Security declined to address the specific claim in the US assessment. But an agency spokesperson said it is concerned about hackers gaining access to critical infrastructure.
“We remain deeply concerned about this threat and urge owners and operators of critical infrastructure to contact us so we can work together to protect their systems,” the spokesperson said.
Lesley Carhart, who leads North American incident response for Dragos, a company that specializes in cybersecurity for industrial systems, said they found it credible that a group of hacktivists like Zarya could have gained access to a gas distributor, but it would have taken a lot more effort to cause an explosion.
“A process like that has redundancy. Human controls. Physical and digital security controls. It’s designed not to explode even if someone makes a mistake,» Carhart wrote in a text message.
Zarya is one of several pro-Russian hacker groups that frequently hassle targets linked to NATO and Ukraine’s allied countries. While they often take websites offline for a short period, they rarely show the ability to cause serious damage.
There are about 20 such groups, most of which have emerged in the past two years, since Russia began invading Ukraine, said Sergey Shykevich, who tracks threat intelligence for Israeli cybersecurity firm Check Point Software.
Zarya recounts her exploits on her Telegram channel, where she mainly brags about taking sites offline. Its posts make no mention of an attack on Canadian energy infrastructure, and the group has explicitly stated that it is not affiliated with the Russian government.
chris painterThe State Department’s cyber ambassador in the Obama administration and the head of the board of directors of the Global Forum on Cyber Expertise, an international group of cybersecurity experts, said Russian intelligence often relies on its wealthy group of cybercriminals. nationals to achieve their goals. .
«It’s one of the tools in your toolkit to use these proxies, because in a sense, it evades direct responsibility,» Painter said. “They can always say, ‘Well, it wasn’t us. It was a criminal group.’”