Russia has taken ‘preparatory actions’ for a cyberattack. What does that mean? – Grid News


Russia has taken ‘preparatory actions’ for a cyberattack. What does that mean?

President Joe Biden and top White House officials are warning that Russia could launch cyberattacks against critical infrastructure, citing intelligence reports.

The Russian government appears to be taking preparatory actions for this type of attack, Deputy National Security Adviser Anne Neuberger said at a briefing on Monday — warning that U.S. companies had not patched known cyber vulnerabilities.

The warnings come as Russia remains mired in a sluggish land war in Ukraine and faces continued sanctions that are squeezing President Vladimir Putin, oligarchs and the Russian public alike.

Grid spoke with Jim Lewis, a former top cyber official at the State and Commerce departments who now directs the strategic technologies program at the Center for Strategic and International Studies, about what the White House’s warnings signal.


This interview has been edited for length and clarity.

Grid: What type of activity is the White House talking about? What constitutes “preparatory actions” by the Russians?

Jim Lewis: The Russians have been able to access American critical infrastructure for years, and we don’t always have a good sense of where they are or what they’ve left behind. My assumption is that the White House probably found some indicator that the Russians were at least thinking about whether some kind of cyber action against the U.S. would help them in the conflict with Ukraine. That’s usually what it is, there’s chatter and it looks like the Russians will do something.

That’s probably what they’re worried about. The Russians are in the electrical grid or in the gas pipelines. They’re in critical infrastructure, and we don’t know if we’ve gotten them out. So we need to start preparing. Colonial Pipeline [which the FBI attributed to a Russian ransomware group] and SolarWinds [which the Biden administration has said was directed by Russian intelligence services] showed us if you aren’t at the top of your game, the Russians could take advantage of you.

G: In terms of preparatory action by the Russians, what would that look like in practice, and how would the U.S. detect it?


JL: It could be probes. It could be testing networks to see if you can get in. It could be getting in and leaving something behind. It could be activating some of the things they probably got from SolarWinds [during which Russian-affiliated hackers broke into U.S. government systems]. So there would probably be an uptick in Russian activity, and that would be the one of the indicators that they were at least planning how to do something.

G: Is this messaging from the White House and the federal Cybersecurity and Infrastructure Security Agency more urgent than we’ve seen in the past?

JL: I think so. They haven’t done this before. [The Department of Homeland Security] a few years ago put out a statement that was so vague and said, “Critical infrastructure operators should be careful because foreign entities could be on their networks,” blah, blah, blah. And I don’t know why it was so vague. It was the Russians.

This administration has done better at being specific. My guess is they got some kind of indicator from our own intelligence that the Russians were thinking about doing something dramatic. That is probably why they made these statements.

G: The U.S. has been releasing intelligence throughout this conflict that has correctly anticipated Russian actions. Does this latest warning seem to be in line with that?

JL: The U.S. intelligence agencies have done a pretty good job in Ukraine. They’ve been a step ahead of the Russians at every moment in the game. Presumably, that’s what’s happening here. They had advance warning of what the Russians were thinking about doing, and that sometimes results in the Russians not doing things because they realized we knew. This is probably a success for U.S. intelligence in seeing the Russians beginning to think about a serious cyberattack.

G: Is there any reason to think the White House is exaggerating here?

JL: They’re not. Putin is getting frustrated. The Russians are looking at plan B. And plan B might include cyber actions against the U.S. The fact that they haven’t done it doesn’t mean they can’t do it. The thing that worries everyone is Putin has not shown a good degree of self-control here. As the Russians begin to say, “We’re stuck, and it’s because of the West. We need to do something back,” the risk has probably increased.

G: What form could an attack take that wouldn’t result in escalation by the U.S.? Or does Russia want things to escalate?

JL: That’s one of the big questions. The Russians know that a massive cyberattack against critical infrastructure, or any big action, could lead to some kind of escalation. But there are options for them. The Colonial Pipeline attack is a great example. You get panicky Americans, a political problem, and [Russia] can say, “It wasn’t us, it was some ransomware gangs.” There is NotPetya, the malware attack, which spread around the world, caused lots of lots of harm and was ultimately attributed to the GRU [Russia’s military intelligence unit]. A massive attack is unlikely unless Putin wants to start a war with us, and I don’t think he does. But some sort of punishment from ransomware or some economic crime by criminal actors? That’s an easy one.


G: There have been reports, via an FBI memo, that the targets were energy companies. What would be the most vulnerable subset of that industry if that is the case?

JL: There are two. The first is [oil and gas] pipelines. The ability to mess with pipelines is relatively easy because a lot of them use pretty basic computing and are not necessarily hardened. So you have a 2,000-mile long pipeline, and somewhere on it there’s a sensor or a monitor that you might be able to get access to, then a network, and cause some sort of disruption. The second is the electrical grid. Some power companies have done a good job [of securing themselves]; some haven’t. But it’s the same issue — a lot of the control technology is basic, and it gives you an opportunity to get in. There’s a limit to what they’re going to want to do, and interfering with the flow of energy is probably the least risky. It creates political problems for the administration, but it does not rise to the level of use of force that could trigger a U.S. reaction.

G: Are U.S. companies and local governments prepared for something like this?

JL: The problem is this is a big country. Roughly somewhere between 50 and 80 companies supply about three-quarters of the population with things like energy, telecommunications and internet connectivity. And there’s hundreds of other companies that supply the rest. Some of those big companies have done a great job securing their systems. Some of them have done only an OK job. It’s all better than it was five years ago, but there are so many targets.

If the goal is to create some sort of political disturbance, the Russians could go after a medium-sized city. They may not do something like Colonial Pipeline again, but they may interfere with the flow of gasoline. They must have been laughing hysterically when they watched the Colonial Pipeline attack and saw Americans panicking and lining up for gas. So that might be fun to do again if you’re Russia.


G: What should people be on the lookout for in the cyber realm moving forward?

JL: I’m looking at how the Russians are doing in Ukraine. Because if they’re stuck for a long time, they might be tempted to interfere with logistics for supplies. Can they interfere with ships or flights that are bringing supplies to the Ukraine? I’m looking at where the Russians are and how frustrated they’re getting, because the more frustrated they are, the more risks they’ll take. I’m also looking at announcements like this because we don’t have insight into what the intelligence community is seeing. Unless it’s bad and then they say something publicly — that’s what happened here.

  • Benjamin Powers
    Benjamin Powers

    Technology Reporter

    Benjamin Powers is a technology reporter for Grid where he explores the interconnection of technology and privacy within major stories.