UglyGorilla Hack of U.S. Utility Exposes Cyberwar ThreatMichael Riley and Jordan Robertson
Somewhere in China, a man typed his user name, “ghost,” and password, “hijack,” and proceeded to rifle the computers of a utility in the Northeastern U.S.
He plucked schematics of its pipelines. He copied security-guard patrol memos. He sought access to systems that regulate the flow of natural gas. He cruised channels where keystrokes could cut off a city’s heat, or make a pipeline explode.
That didn’t appear to be his intention, and neither was economic espionage. While he was one of the Chinese officers the U.S. charged last month with infiltrating computers to steal corporate secrets, this raid was different. The hacker called UglyGorilla invaded the utility on what was probably a scouting mission, looking for information China could use to wage war.
UglyGorilla is one of many hackers the FBI has watched. Agents have recorded raids by other operatives in China and in Russia and Iran, all apparently looking for security weaknesses that could be employed to disrupt the delivery of water and electricity and impede other functions critical to the economy, according to former intelligence officials with knowledge of the investigation. The incursions spurred a debate in the Obama administration over whether and how to respond, and raised alarms among lawmakers briefed on the incidents.
“This is as big a national security threat as I have ever seen in the history of this country that we are not prepared for,” said Representative Mike Rogers, a Michigan Republican and chairman of the House intelligence committee, who agreed to talk about the attacks in general terms but declined to discuss specific incidents. “Your palms get a little sweaty thinking about what the outcome of those attacks might have been and how close they actually came.”
UglyGorilla’s surveillance sortie was one of dozens conducted on natural gas pipelines and electric utilities by People’s Liberation Army Unit 61398 over at least 14 months in 2012 and 2013, according to documents obtained by Bloomberg News and people involved in the investigations but who asked not to be named because they weren’t authorized to speak publicly.
Unit members appeared to be performing the digital equivalent of mapping the dams or airfields or fuel routes of a potential enemy, what’s known in military jargon as preparation of the battlefield. While that kind of spying has been standard practice for centuries, technology is scrambling traditional rules of war, blurring the distinction between intelligence-gathering and aggression.
A satellite capturing images from 600 miles above Earth doesn’t cross the line; a navy vessel that sails into another country’s waters does. Hackers scanning infrastructure from inside computers that control it are both gathering knowledge for use in combat and moving into a potential battlefield.
Operatives vacuumed up caches of e-mails, engineering PDFs and other documents, but it was their focus on supervisory control and data acquisition, or SCADA, systems in industrial computers that most concerned U.S. officials, according to people familiar with the incidents. Attackers could use SCADA systems to manipulate valves to build up pressure and burst pipes or shut down a power plant.
“They’re practicing,” is how retired Army General Keith Alexander, then head of the National Security Agency, put it to lawmakers in 2012, according to a U.S. official who was present but asked not to be identified because the briefing was private.
In many cases, by the time outside forces have breached a computer system, “they’ve already done everything they need to attack you,” said Michael Hayden, a former director of the NSA and the Central Intelligence Agency. “In addition to doing reconnaissance, and maybe being accepted intelligence practice, they’ve got a gun at your head.”
The prevailing theory, according to two former senior national security officials, is that the hackers were only testing their skills and stockpiling data, preparing for a war their bosses may never wage, much as the U.S. and Soviet Union built nuclear weapons inventories during the Cold War.
What concerns U.S. defense officials is that while nuclear weapons are so destructive they haven’t been used in warfare since 1945, cyberweapons are alluring because they’re versatile. An adversary could be tempted by a menu of options, from a subtle disruption of communications systems to the chaos that would result if the power were shut down in Manhattan.
Cyberweapons are far easier and cheaper to obtain than nuclear materials, and so is data about the vulnerabilities in industrial control systems that run the electrical grid and water purification plants. The data could be used to develop and experiment with more sophisticated attacks, according to people familiar with the operations.
Nation-state hackers are also often freelancers, and the U.S. has identified cases where some employed by Russia and China provided their services to others for a price, according to intelligence officials. The data hackers collect isn’t difficult to sell to others either, as it’s simple to transfer electronically or on a pocket-size storage device.
“Five guys wearing flip-flops with the right capabilities in the basement with enough juice, and you got a real problem,” said Rogers, the House intelligence panel chairman. “That’s a very different threat now than we’ve ever really faced before.”
The Chinese hackers targeted 23 natural gas pipeline companies over seven months beginning in December 2011, and breached at least 10, according to a U.S. Department of Homeland Security presentation to the energy industry at a conference the following year; 10 of the remaining 13 were still being investigated at the time of that event. The Christian Science Monitor previously reported some information from the presentation, including the number of targets, and cited a possible link to the People’s Liberation Army.
FBI surveillance transcripts of the PLA unit and other documents related to the investigation obtained by Bloomberg News show the attacks continued for at least eight more months and ranged more widely, including gas and electrical utilities, which would be of little interest for economic espionage.
What alarmed DHS officials was the information seized, people who attended the conference said. According to the DHS presentation and slides, the unit stole lists of field sites, such as block valve stations and compressors, that could be manipulated remotely, as well as SCADA log-ons and user manuals for servers.
S.Y. Lee, a DHS spokesman, referred questions about the attacks to the U.S. Department of Justice. “Cyberthreats to our nation’s critical infrastructure, most of which is within the private sector, are a significant concern,” said Marc Raimondi, a Justice Department spokesman. “The U.S. government will continue to use all the tools at our disposal to disrupt and deter malicious activity.”
They were “preparing a scenario where they might be able to perform a very serious attack,” said Jaime Blasco, a researcher for AlienVault LLC who as a consultant aided the investigation into some of natural gas sector breaches.
Hackers are keenly interested in the U.S. utility infrastructure, as Kyle Wilhoit, a threat researcher at the security firm FireEye Inc., discovered in an experiment last year when he worked for TrendMicro Inc. Wilhoit replicated the network of a municipal water system by using specialized software and real industrial controllers. He built the system in his basement in St. Louis, but from the Internet it looked like a water plant in Ashburn, Virginia, population 44,000.
The virtual utility was cased and raided within weeks by what Wilhoit said he believes was PLA Unit 61398, based on the custom code used and other evidence. The intruders stole passwords, engineering PDFs and data that would let them back into the computers through a remote access system for employees.
During an expanded version of the exercise, Wilhoit said, hackers, most of them from China, overrode controls in fake water plants in Europe and Asia. If a military performed those sorts of hacks, “that certainly would be crossing a red line in anybody’s book,” said Michael Assante, a former researcher at the Idaho National Laboratory near Idaho Falls who specializes in control system attacks.
The government’s indictment of UglyGorilla, whose real name is Wang Dong, and four other PLA hackers charges them with with stealing economic secrets from six U.S. companies, incidents unrelated to the utility hacks. The Chinese government denied engaging in economic espionage and a spokesman for the Chinese embassy in Washington called the accusations against the officers absurd.
The charges may in fact have been a way of alerting China that the U.S. knows everything Unit 61398 is up to, said Chris Blask, chairman of the Industrial Control System Information Sharing and Analysis Center, a nonprofit in Orlando, Florida, that coordinates dissemination of cybersecurity threat data to critical-infrastructure operators.
“There are code messages nations send each other all the time,” Blask said. “We want them to do those subtle things that allow both sides to save face.”
While Unit 61398 was at work, White House national security officials huddled with cybersecurity experts from across the government to consider options they could present to President Barack Obama. The team included representatives from the State Department, NSA, FBI and Pentagon, directed by National Security Council staff.
Sensitive facilities could be put under the protection of the NSA, whose own hackers could disrupt the digital raiding parties, but that would be a significant escalation and require changes to U.S. law. Instead, the officials considered ways to draw a red line around critical infrastructure, according to three people briefed on the discussions.
None of the options was good. The U.S. could enter into treaties prohibiting such activity, but signatories could simply continue the activity through black operations. Sanctions were unenforceable, and the source of attacks hard to prove.
“‘Trust but verify’ was a phrase made popular under Reagan. We’re worse off here. It’s more like ‘don’t trust and can’t verify,’” said Steven Chabinsky, a former deputy assistant director in the FBI’s cyber division who is now general counsel and chief risk officer at CrowdStrike Inc. “We need to move past that to de-escalate growing cyber tensions.”
As the discussions continued, a hurdle emerged from within the group’s own ranks. Proscribing cyber incursions would require the U.S. to forgo such activities, putting a potential adversary’s ports, communication networks and transportation facilities off limits. The Pentagon vetoed such proposals, the three people said, and no plan for responding to the hacks made it to Obama’s desk. Laura Lucas Magnuson, a White House spokeswoman, declined to comment.
An effort to require utilities, chemical refineries, water plants and stock exchanges to improve security also failed. Lobbying by the U.S. Chamber of Commerce helped kill a Senate cybersecurity bill in August 2012 by casting it as a regulatory burden because it would have forced some companies to install anti-hacking protections. Supporters couldn’t overcome a Republican-led filibuster against the measure, falling eight votes short.
The briefing on Capitol Hill that summer by then-NSA chief Alexander was part of a push by the administration to persuade Congress to pass the legislation. It appears to have been the first notification to lawmakers outside of a classified setting that foreign hackers had penetrated sensitive U.S. infrastructure, the official familiar with the event said.
The U.S. has few alternatives, said James Lewis, a cybersecurity fellow at the Center for Strategic and International Studies in Washington. “You can engage intelligence operations to try to judge their capabilities and intent, or fall upon your knees and beg critical infrastructure to make themselves a harder target, and we’re doing both.”
Documents obtained by Bloomberg News show how deeply U.S. investigators burrowed into foreign hackers’ organizations. In the case of Unit 61398, hackers typically used U.S. servers as staging points, which worked to the FBI’s advantage.
The agents issued subpoenas to tap those servers, including some of those used by UglyGorilla to hack a natural gas utility in the Northeast, according to people familiar with the investigation. Using specialized software, the FBI was able to record the commands going back and forth between his computer and his victim.
It was like peering over UglyGorilla’s shoulder, watching, keystroke by keystroke, as he snaked through the utility’s computer banks, according to transcripts of the surveillance session. The FBI scooped up his passwords as he typed them, and agents watched as he transferred data back to his computer.
He dropped one set of files into a folder on his desktop labeled “SCADA,” inside a subfolder with a utility’s initials, part of his method for keeping his multiple victims straight, the transcripts show.
While UglyGorilla accessed a gateway to systems that regulate the flow of natural gas, it wasn’t clear if he was probing the security of the system or trying to gain control of it, according to a person briefed on the investigation. Allison Mahan, a spokeswoman for the FBI, declined to comment on the agency’s surveillance of Unit 61398.
Pipelines are perfect targets, according to security experts. The latticework of lines that deliver gas are at capacity and loaded with choke points, said Saxon Burke, a former U.S. Department of Energy intelligence analyst. “There just aren’t many workarounds when it comes to these pipelines.”
Among UglyGorilla’s many energy industry quarries in 2012 were the e-mail accounts of executives and managers at utilities in Pennsylvania, New Jersey and Georgia, according to the documents. Among those on the list was Ray Codey, the administrator of the small borough of Madison, New Jersey, a bedroom community an hour’s train ride from New York City.
The FBI didn’t tell him he was targeted by a Chinese cyberspy, Codey said, and it’s not known whether the hacker successfully breached the municipality’s network. Codey said it wouldn’t be hard to guess why Madison was a target, because it’s one of just nine towns in New Jersey that operates its own electric utility.
Madison’s electricity comes through two feeder lines owned by Jersey Central Power and Light. If the hackers figured out how to shut them down, they could kill power to Madison’s 16,000 residents in an instant, a feat, Codey said, “that not even Hurricane Sandy had managed.”