A huge story about Russian hacking got lost amid all the Trump administration staffing drama and Stormy Daniels news over the past week: On March 15, the US government released a report describing a massive Russian hacking campaign to infiltrate America’s “critical infrastructure” — things like power plants, nuclear generators, and water facilities.

The joint report from the FBI and Department of Homeland Security claims that Russian hackers gained access to computers across the targeted industries and collected sensitive data including passwords, logins, and information about energy generation. While the report doesn’t specify any identifiable sabotage, the intrusion could set up future attacks that do more than just record observations.

The day after the report was released, Energy Secretary Rick Perry told lawmakers at an appropriations hearing that cyberattacks are “literally happening hundreds of thousands of times a day,” and warned that the Department of Energy needs an “office of cybersecurity and emergency response” in order to be prepared for threats like this in the future.

This report is a big deal: It’s the first time the US government has publicly blamed Russia’s government for attacks on energy infrastructure. Explicitly pinning the attack on the Kremlin means that rather than targeting the hackers as individuals, the United States can now respond against Russia as a whole.

By tying the attacks to Russian intelligence agencies, the US government can then sanction high-level members of those agencies for the actions of their subordinates. This makes further hacking operations a lot riskier for not just the hackers themselves but also their bosses and the government that authorized them. It’s a first step toward establishing deterrence in cyberspace.

The Russian hackers used decades-old tactics to gain access

The report says that Russia targeted “Energy and Other Critical Infrastructure Sectors,” an unhelpfully large category. But these weren’t actually the first targets.

To gain access to the power plant computers and internal networks, the hackers first attacked smaller, less secure companies — like ones that make parts for generators or sell software that power plant companies use, for instance.

The Russian hackers then repeated some of those same techniques again to gain access to the primary targets.

One way they did that was to send emails from a compromised account that the receiver trusted and had interacted with before, to get the person receiving the email to reveal confidential information. This is known as “spearphishing.” For example, if the email looks like it’s coming from Bob from marketing, then Alice will be more likely to open it, even if the email was actually sent by Eve from Russia.

Another method they used was “waterholing.” The hackers altered websites that people in the energy industry regularly visit, so that those websites could collect information, like logins and passwords, and relay them back to the hackers.

Some targeted users were induced to “download enticing word documents,” as the report phrases it, about control process systems (programs that watch other programs work, essentially). But those documents turned out to be more malicious than enticing. By opening them, the targets ran programs that gave hackers access to their computers.

After acquiring the logins needed to fool the computers into letting the attackers in, the intruders set up local administrator accounts (the kind with permissions to do things like install programs) and used them to place more malware in the networks. The code they used also contained steps to cover the intruders’ tracks, like automatically logging out of the administrator accounts every eight hours.

“The bad news is this attack used a lot of the old methods to get in,” says Bob Gourley, founder and chief technology officer of the tech consultancy firm Crucial Point and author of the book The Cyber Threat.

“Trickery, getting people to click on links, the other kind of social engineering, phishing to get a foothold somewhere, this was the same kind of basic attack pattern that’s been going on for a decade now,” Gourley says. “It was just better resourced and better targeted, and they had more focused intelligence.”

The attacks were all about scouting, not sabotage

Once inside the computers of a primary target, like a power company, the attackers primarily set up programs that collected information. These programs captured screenshots, recorded details about the computer, and saved information about user accounts on that computer.

The report doesn’t say that the attackers were able to control how power plants generated power. Instead of messing up power generation, the intruders watched and recorded information from computers that received the data from the energy generation systems.

Essentially, this attack provided Russia a peek into how US power plants work and report data. That peek turned into a prolonged observation.

The DHS and FBI report is cagey about the impact, simply stating that the campaign “affected multiple organizations in the energy, nuclear, water, aviation, construction, and critical manufacturing sectors.”

But how did it affect them? We don’t really know. The report doesn’t name any companies, and they’re allowed to remain anonymous in public releases about the attacks — that way, the companies can share and access reports of hacking with others, without fear that public knowledge of the attacks will panic investors or customers.

Nothing in the report speaks to the sabotage or damaging of any equipment. But if intruders were able to get into computers the same way they did for this scouting mission, and to modify code on the targeted computers as easily as they did, then there’s no reason they couldn’t stage another attack.

The report also notes that the hackers tried to mask evidence of their intrusion on the way out, and advises the targeted companies to take precautions in case any malicious code was left behind.

Are we sure it was Russia, and what was its goal?

The DHS and FBI are characterizing it as a Russian attack, noting that this was a multiyear campaign started in March 2016 by Russian government “cyber actors.”  

An October 2017 report on the attack, published by Symantec and cited in the government report, notes that “some code strings in the malware were in Russian. However, some were also in French, which indicates that one of these languages may be a false flag.”

When the US Treasury Department issued new sanctions against several Russian individuals and organizations on March 15, it named these cyberattacks as one of the reasons for doing so. The Treasury Department statement specifically names and sanctions individuals involved with Russia’s Internet Research Agency and the GRU, Russia’s military intelligence branch, though it declines to specifically link any of the individuals named to this latest hacking campaign.

Former intelligence officials and analysts interviewed by the Cipher Brief regarding the report all reached a similar conclusion: The intrusion looks like a scouting mission, which tells us a lot about what kind of information was gathered, and not a whole lot about what Russia intends to do with all that information.

Chris Inglis, former deputy director of the National Security Agency, put it most succinctly: “[T]his is not an opportunistic foray on the part of the Russians. They seem to be intent on getting into the critical infrastructure; they didn’t simply get there because they’ve taken a shotgun approach.”

As for what Russia intends to do once inside that critical infrastructure, that’s much harder to say.

What can the United States do?

The DHS-FBI report includes suggestions, like specific code for targeted companies to run to root out some problems and step-by-step guidelines for how to find and eliminate malware.

Beyond that, there’s a list of cybersecurity tips and common sense advice, like setting limits on the functions a regular user can access on a computer, leaving other functions to secure administrator accounts. That would minimize the damage an intruder could do by compromising a normal user.

The report also includes tips like “Establish a password policy to require complex passwords for all users.” (Just what everyone wants — yet another complex password involving letters, numbers, and symbols that you have to change every month.) Annoying as they may be, there’s a reason that complex passwords are such a common recommendation after cyberattacks: Not everyone uses them yet, and setting your password as “password” still lets attackers in the front door.

To protect against attacks like this in the future, Gourley, the Crucial Point founder and chief technology officer, recommends that companies adopt multifactor authentication to mitigate the harm from stolen logins and passwords. That means that instead of just using a password to get into a system, a user also has to type in an additional code that they receive via text message or plug in an ID card into a card reader hooked up to the computer.

Every additional means of verifying that a user is who they say they are makes it harder for an attacker to replicate all the credentials required and log in to the network.

Welcome to the new era of cyberwar

The biggest problem is that countries the world over are rapidly learning just how much vital or even lucrative information they can obtain from hacking, and are constantly figuring out new ways to circumvent security measures they encounter.

Sanctioning officials involved in authorizing attacks certainly punishes those involved. But it’s worth noting that more than a third of the individuals named in these latest sanctions had already been sanctioned by the US — and that apparently didn’t stop them from carrying out these new attacks. Which means that the deterrence or retaliatory effect of sanctions alone may not be as great as perhaps desired.

But cyberattacks like these fall in the gray area between network security, espionage, and crime, making it harder to figure out how to respond in a way that actually makes a real difference. Intrusions like these still fall short of sabotage or war, but that doesn’t mean we have to like them.

Kelsey Atherton is a defense technology journalist based in Albuquerque, New Mexico. Find him on Twitter @athertonkd.

In September 2016, North Korean intelligence services stole a huge batch of classified US and South Korean military plans — including a plan to assassinate North Korea’s dictator Kim Jong Un and other top government officials.

Yet this was not the stuff of an old-school John le Carré spy novel, with shady figures in trench coats exchanging documents at a dark rendezvous spot in the woods. North Korea’s data theft was done entirely through computer systems.

According to a South Korean politician, last fall North Korean hackers gained access to South Korea’s Defense Integrated Data Center and stole 235 gigabytes of classified military plans. Two plans in particular stand out: One was for how to respond to an attack on South Korea by North Korean commandos. The other was the plan for what’s called a “decapitation strike,” or an operation that would specifically target Kim and other key government officials loyal to the regime. But the full depth of what was stolen is still unknown.

The fact that we’re only just now learning of the extent of the burglary, more than a year after it happened, is a testament to North Korea’s immense cyber capabilities.

But wait a second — how did an impoverished country like North Korea end up with such impressive hacking abilities? And are they really that impressive? Or is our information just really easy to steal?

It turns out that while we’ve been (understandably) focused on North Korea’s nuclear weapons and ballistic missiles, the country has been quietly developing another powerful tool — a selection of malware and malicious code, a veritable cyberweapons cache.

How did North Korea pull it off?

North Korea is one of seven nations generally regarded as “cyberpowers” — countries with the ability to mess around in the information systems of other countries. (Besides North Korea, the major cyberpowers are the United States, Russia, China, the United Kingdom, Iran, and France.)

In 2014, North Korean hackers conducted a major operation against Sony in the United States in retaliation for the Sony Pictures film The Interview, a Seth Rogen and James Franco comedy depicting a fictional assassination of Kim Jong Un — a cyberattack that some political commentators labeled an act of war.

This latest hack of the military documents worked through human error. As the Wall Street Journal reports, the North Korean hackers first gained access to a South Korean company that makes the antivirus software used by the South Korean military. That compromised antivirus software provided a path for North Korean hackers into South Korean military computers.

Normally, the military database they hacked, working on a secured intranet, would be safe from compromise — but a contractor working at the data center left a cable in place that connected the military intranet to the internet, allowing the North Korean hackers to access the database of sensitive documents.

That connection remained in place for more than a year, and wasn’t detected until September 2016. North Korean state media has denied involvement in the attack, claiming instead that South Korea made up the whole thing.

How did a country like North Korea develop such impressive cyber capabilities?

Computer scientists are the key to creating and maintaining new cyberweapons, but there’s also a great deal of reverse-engineering that goes on. For instance, in 2012 Iran used cyber tools to wipe and render useless 35,000 computers at Saudi Aramco, one of the world’s biggest oil companies. The tools Iran used in the Saudi Aramco attack were largely modifications of tools that had attacked Iran, now redesigned for different targets.

“[For] everybody, once your code gets out on the internet, it’s possible that someone else can intercept copy and modify for their own use,” says Bob Gourley, co-founder of the security consultancy firm Cognitio and veteran of the intelligence community.

“North Koreans might be borrowing code they saw in a Russian attack,” Gourley says, but that “doesn’t mean Russians and North Koreans are collaborating. [It] just means they saw that code and modified it, or they may be modifying code of some hacker or some criminal groups.”

“Everyone starts to build upon other people’s exploits,” he adds.

But North Korea has the smallest economy of all the cyberpowers, with a GDP estimated at somewhere between that of Vermont and Wyoming. How, then, can it so effectively fund the kinds of computer scientists needed to maintain such a potent cyber capability?

Part of the answer has to do with the nature of the North Korean economy itself. The North has what’s known as a “command economy,” which means that the central government basically controls every single aspect of the economy, including the production and distribution of goods and services.

As a result, the regime is able to direct as many resources as it wants toward military programs within the country, like its nuclear project and its cyber program, even in the face of strict foreign sanctions.

The other reason is that North Korea’s cyber division actually makes a lot of money on its own, thanks to the country’s willingness to have its military programmers engage in straight-up crime.

“There are remarkable similarities between North Korea and an organized crime group,” says William Carter, deputy director of the technology policy program at the Center for Strategic and International Security, a Washington think tank.

For instance, Carter says, North Korea’s cyber division “used a pretty sophisticated scheme to send false payment orders through the Swiss [banking] network and got hundreds of millions of dollars transferred out of the banks of Bangladesh, the Philippines, Vietnam, Ecuador, and others and into accounts controlled by North Korean government.”

When your hackers are bringing in that kind of cash, paying their salaries becomes a whole lot easier.

Why would North Korea launch cyberattacks?

While North Korean attacks and intrusions make headlines, it’s safe to assume that all countries with the capability to do so are actively watching and tracking and spying on the cyber capabilities of other countries. So it’s not the use of cyber itself that sets North Korea apart from other nations.

“The challenge is that North Korea’s objectives are a lot about being able to lash out,” says Michael Sulmeyer, director of the Cyber Security Project at Harvard’s Belfer Center, “and they’re also limited in other ways they could insert themselves, cut off from so much of the global economy.”

With an army focused on the South, a navy that is limited in reach, and an air force oriented toward defense, North Korea’s main ways to threaten countries beyond its immediate borders are with missiles or with cyber intrusions.

Having a robust hacking capability means that Pyongyang can attack those who make both fictional depictions of Kim Jong Un’s assassination and actual military plans for such an event. Kim inherited not just his father’s nuclear program but his grandfather’s intense paranoia, and the whole orientation of the regime is built around ensuring his survival.

Kelsey Atherton is a defense technology journalist based in Albuquerque, New Mexico. Find him on Twitter @athertonkd.