‘Not the time to go poking around’: How former U.S. hackers view dealing with Russia

“There’s gradations before you get to disrupting critical infrastructure,” said Michael Daniel, who was the National Security Council’s cybersecurity coordinator during the Obama administration.

The U.S. also would most likely avoid going after civilian targets such as Russian citizens’ electricity, even in response to Russian cyberattacks on the United States or NATO. Instead, any U.S. action would be gradual, proportional and aimed at warning Russia to stop, said Robert M. Lee, who worked in cyber warfare operations with the National Security Agency until 2015.

“Are they going to take down the power grid [in Moscow]? No,” said Lee, who is now CEO of the cybersecurity firm Dragos. He added: “You’re [just] trying to shape behavior and signal, ‘Hey we see you, and we’re willing to escalate this. Please don’t punch back or we’ll go to the next phase.”

At the moment, U.S. government hackers are probably avoiding taking any actions that Putin’s government could interpret as an escalation that would trigger a reprisal, Lee and two other former hackers said in interviews. Espionage will continue as usual, but burrowing deeper into critical infrastructure or going after new systems not already compromised would be discouraged.

For the same reason, they said, the U.S. would probably not assist Ukraine’s defense by launching offensive cyberattacks against Russia’s military or government to avoid being pulled into the conflict.

In interviews with POLITICO, Lee, two other former U.S. government hackers involved in cyber operations against foreign networks, and a former intelligence official who was involved in discussions about such operations, described the complications of wielding Washington’s formidable hacking arsenal. These include tools that intelligence agencies have implanted in foreign networks for espionage purposes, but which also could be repurposed to cripple a power plant serving a military installation, halt gas in a pipeline or cause a communication blackout for Russian command centers.

For decades, Russia was not a top hacking priority for the U.S., taking a backseat to countries such as Iran and China, three of the experts said. But that changed after Putin’s own hackers tried to interfere in the 2016 election, and the U.S. is deeply embedded in Russian infrastructure today.

The former government hackers and intelligence official, along with one former national security official, also discussed with POLITICO the extensive effort required to get into other countries’ core systems — and the challenges of maintaining that secret access for years. And they described the difficulties a standoff with Putin brings, including the calculus of deciding when to launch destructive cyberattacks against an adversary that can respond in kind.

The U.S. has plenty of offensive hacking capability to “do the things that we would need to do, to have the effects that we want to have,” said the former U.S. intelligence official. But he expressed less certainty about how deeply Russia is embedded in American infrastructure, which could limit what the U.S. is willing to do.

“Can they turn around and do it back to us? Can someone make some reasonable assertion that they can’t?” said the former official, who asked to remain anonymous because he is not authorized to speak on such matters. “If people can’t say that, then it gets very hard to summon, I think, the political will to execute [an] attack.”

It’s a conversation that senior U.S. leaders typically don’t like to conduct in public — details about America’s cyber capabilities and calculations about using them have long been closely held secrets.

The U.S. can only hope that Putin’s regime is exercising similar restraint, as both sides face the unpredictable dangers of a cyber conflict that could do lasting harm to both sides, Daniel said.

“For as much damage as the [Western] sanctions are doing or might do to [Russia’s] economy, they are reversible,” he said. “The West can choose to turn them off. [But] you can’t un-destruct something.”

One huge caveat: If Putin gets to the point where he feels Russia has nothing left to lose, then he is more likely to order destructive attacks against the United States. “But I don’t think we’re all the way there yet,” Daniel said.

Going on the offensive

Two intelligence agencies and one military division are the main arms of the U.S. government responsible for compromising foreign networks.

The National Security Agency and Central Intelligence Agency both have sophisticated hacking divisions with individual teams focused on specific countries or regions to collect intelligence. U.S. Cyber Command, launched in 2010 as part of the Defense Department, hacks networks for offensive operations related to battle, not intelligence collection. It also recently disrupted ransomware groups targeting the U.S.

The three entities operate under different legal authorities, generally limiting what each can do. But there’s some overlap: In past years, if an NSA or CIA team needed to destroy or disrupt a system, it could get authorization from the White House, or a Cyber Command warrior could be tasked to work with them.

But in 2018, the leeway for the CIA to conduct such attacks expanded when then-President Donald Trump signed a secret finding that eliminated the need for the spy agency to get White House approval. Instead, the CIA could now give the go-ahead for cyberattacks against Russia, China, Iran and North Korea. This also potentially expanded the types of operations the CIA could conduct on its own authority, opening the door to attacks on banks and other financial institutions that previously had been off-limits for U.S. hackers, along with hack-and-leak operations similar to what Russia did with the Democratic National Committee in 2016.

The focus on Russia as a top priority for U.S. cyber intelligence efforts is a relatively recent phenomenon.

After the terrorist attacks on Sept. 11, 2001, intelligence agencies diverted resources and personnel to focus on counterterrorism — and later on Iran and China, three of the experts told POLITICO. That remained the case for nearly 15 years. “I wouldn’t say Russia was a backwater, but it certainly wasn’t heavily prioritized,” said the former intelligence official who asked to remain anonymous.

Another of the sources that spoke to POLITICO, a former NSA intelligence analyst, confirmed that the NSA’s Russia teams — which included hackers, analysts who help determine targets and assess intelligence, and mission leaders — lost a lot of their resources and people after 2001.

But the remaining people became more focused and disciplined as a result, the analyst said, and were no less effective. Unlike other teams, the ones focused on Russia had their own experts with special language and technical skills to help them understand the networks they targeted.

“The analysts who worked on the Russian targets spoke Russian,” he said. “There were very few people in other groups who knew the national anthem of their target country, but all of the Russian team did.”

Russian targets were harder to compromise and maintain than systems in many other countries, however.

“Iran’s probably, from a technical perspective, [one of] the most compromised countries on earth,” said the former intelligence official. “There is nary a network inside that country that doesn’t have an implant from the U.S. or some other country’s intelligence service sitting in it.”

Russia is more challenging, both because of the size of the country and the number of networks worth targeting, and because of Russia’s own hacking and counterintelligence skills. Despite this, Lee said that “there’s not a world that exists where we are not deeply embedded in much of the Russian key infrastructure. I don’t mean like power grid infrastructure. I just mean infrastructure, whether it be intelligence infrastructure or other. That should be pretty obvious with the extraordinary [information] we’ve been declassifying recently.”

The hardest part often isn’t gaining access to a system but maintaining it clandestinely, for months or years.

“It is the thing that separates the most sophisticated cyber operators on the planet from the lesser ones,” the former intelligence official said.

A software patch or upgrade to a new operating system can close a door to intruders. So NSA and CIA hackers will seek deeper access, such as planting spy tools at the core of a system where software upgrades won’t affect them.

Even so, hardware containing spy implants can suddenly get taken offline, leaving the hackers to wonder if someone had discovered their backdoor. The Russian cybersecurity firm Kaspersky Lab has publicly exposed numerous espionage tools planted around the world by the U.S. and its allies over the years, including a six-year-long operation that had placed implants on routers in multiple countries to spy on ISIS and al-Qaeda terrorists. And sometimes rival spy agencies steal an agency’s hacking tools, as reportedly occurred when a group known as the Shadow Brokers, believed to be a nation-state spy group from Russia, leaked pilfered NSA malware.

“There’s the layperson’s assumption that you just switch out the thing that has been compromised with the new thing that hasn’t been compromised,” said the former intelligence official. “But the process of switching out tooling, in and of itself, can dramatically increase your chance of being [caught].”

The NSA also has to watch out for other hackers — nation-state and skilled cyber criminals — who might be inside systems the agency wants to breach. Those hackers can potentially spy on the agency’s activity inside an infected machine or grab their tools to study and reuse them.

Espionage vs. cyberattack

Governments may not like it when foreign spies breach their networks to steal data, but it’s an acceptable and expected practice, even when it involves breaching critical infrastructure such as energy companies and electric grids for intelligence gathering. These targets can yield valuable information about how power is generated and distributed throughout the country, and how vulnerable parts of a grid might be to physical or digital harm. Both the U.S. and Russia and other countries compromise these networks.

“We might like to scream and rant and rave about it” when Russia hacks into those targets for spying purposes, “but they’re perfectly valid targets,” said the former intelligence official.

Gaining access to a power plant doesn’t mean a foreign government is about to take it down, Lee said. “It’s quite literally their job to just develop access and maintain that for when people request it,” he said.

But governments also contemplate more disruptive attacks on the electricity supply. This possibility gained new attention in 2019, when The New York Times reported that U.S. Cyber Command had planted “potentially crippling” malware in Russia’s grid systems on the chance that the U.S. might want to disrupt the grid in the future.

But Lee said the actions described in the article aren’t typically how the U.S. would carry out such an operation.

“You don’t place your offensive capabilities [in a network] before you leverage them,” he said, because you risk having them discovered. Attackers will, however, leave implants for intelligence purposes that could later be leveraged to disrupt a system or plant destructive code.

Ideally, Cyber Command’s offensive hackers wouldn’t wage destructive attacks against a target using the same implants and compromised systems that the NSA and CIA employ for intelligence collection, so as not to burn their spying capabilities, Daniel said. But Lee said that during his time at the NSA, Cyber Command often piggybacked on the access that espionage teams had worked hard to obtain. “We would have loved for Cyber Command to have their own capabilities and access, but that was not the reality of the situation.”

Effective cyberattacks aren’t spontaneous, opportunistic events. It can take months or years to get access to some systems, and then may require extensive reconnaissance and research — or even physical access — to design and pull off an attack.

“Flipping a relay is one thing. Understanding what happens when you flip the relay is something else,” said Jake Williams, a former NSA hacker who was with the agency until 2013.

In the best-known destructive cyber operation, the covert Stuxnet attack that the U.S. and Israel launched between 2007 and 2010 to disrupt the Iranian nuclear program, the CIA and Mossad used a mole working for Dutch intelligence to carry spyware into the high-security facility and place it on computers that weren’t connected to the internet. After that spyware gathered intelligence about centrifuges used for enriching uranium gas, the mole planted destructive code onto the same systems. Researchers in Israel and the U.S. even built centrifuge test labs to study the potential effects various digital attacks might have on the devices. The operation successfully degraded between 1,000 and 2,000 centrifuges and caused temporary delays in Iran’s enrichment activities, though Iran recovered quickly from the setback.

Similarly, when Russian hackers took down parts of Ukraine’s electric grid for a few hours in 2015, they entered power plant networks by sending malware-laden emails to employees, then spent six months conducting reconnaissance, studying the various models of control systems at distribution plants and designing malware specific to each system.

For the U.S. to prepare to launch military cyberattacks against a foreign target in times of conflict, a Cyber Command team would make a list of systems they might need to access, then survey NSA and CIA hacking teams to see who already has access to them and whether additional networks need to be compromised.

But compromising new networks during the existing U.S.-Russian tension before conflict between the two countries has started is highly risky, and Lee said U.S. hackers would be exercising extra restraint right now. Russia could misinterpret new espionage intrusions as advance work for an attack, regardless of what the U.S. intends.

Lee said many people may assume that for a crisis like the Russian invasion, U.S. cyber warriors would be getting more aggressive inside Russian networks. But he said that “my experience with U.S. intelligence is it’s quite the opposite. … Now is not the time to go poking around. Unless you have a damn good need to be there, don’t go doing something that could be perceived as escalatory.”

Lee pointed to incidents his company uncovered in October when a Russian-based hacking group it calls Xenotime was found inside the networks of key electric and liquid natural gas sites in the U.S. The hackers did nothing more than routine exploration of the networks — the kind of activity that the U.S. also does — but because of growing tensions with Russia and Xenotime’s involvement in a previous disruptive attack, the information traveled up the ranks to senior officials in government. The episode occurred just months after Biden had warned Putin against offensive cyberattacks on U.S. critical infrastructure.

“It turned into extraordinary concern, because it’s perceived as sort of signaling,” Lee said. “[The Russians were] showing they may have the intent to come after electric and natural gas sites.”

How the U.S. would respond to an attack

No matter how dire the military invasion in Ukraine turns, the U.S. would not conduct disruptive or destructive cyberattacks against Russia, Lee believes. In the same way the U.S. has carefully avoided direct involvement in Ukraine’s defense, aside from supplying intelligence and equipment, it also would not want to enter into direct conflict with Russia in cyber space. This could change, however, if Russia attacks the U.S. or its NATO allies.

But Russia is probably making the same kinds of calculations about launching attacks against the U.S., said Daniel, the former NSC cyber coordinator. For example, to retaliate for the financial crisis that Western sanctions have introduced in Russia, Putin’s forces could launch sophisticated and potentially chaotic attacks against the integrity of U.S. or European financial data, but these kinds of attacks require extensive advance planning and it’s not clear Russia has done the work.

Daniel said Russia is also not likely to launch a destructive attack at the outset. Instead Russia might launch barrages of malicious online traffic to take down U.S. banking websites, as Iran has done in the past in retaliation for sanctions. Russia could also hijack banking traffic, redirecting it to Russian networks, or unleash cyber criminal gangs to conduct ransomware attacks on the financial sector.

Whatever Russia does, Daniel says the U.S. would want to be measured in any response it takes. Options could include leaking information about secret financial dealings of Putin and his cronies to further turn the Russian public against Putin, though the U.S. would have to be prepared for Russia to do the same.

“The U.S. would be looking for actions that would impose some pain but wouldn’t lead to physical destruction or loss of life or necessarily be permanent, so that if Russia backs off, the U.S. can as well,” Daniel said.

And Daniel said any response from the United States would likely be targeted narrowly at the military or government — contrary to a recent NBC News report, strongly disputed by the White House, that said U.S. cyber warriors had proposed to Biden options such as shutting off the power in Russia.

“We would not want to take steps that would drive the Russian populace back towards a pro-Putin viewpoint,” Daniel said.

Kim Zetter is the author of COUNTDOWN TO ZERO DAY: Stuxnet and the Launch of the World’s First Digital Weapon.

Leave a Comment