Recent attacks on several water authorities, such as Aliquippa and St. Johns River, are putting a new spotlight on the need to protect critical infrastructure.
Water, and many other services deemed “critical,” such as food, shelter and warmth fall under basic psychological needs in Maslow's Hierarchy of Needs.
When these basic needs are satisfied, only then can we meet safety and security. In war, to bring a nation to its knees, attacks against power and water inflict the most damage psychologically.
That’s why we must take these attacks against critical infrastructure power and water facilities seriously, and view them as a harbinger of war.
Why attack critical infrastructure?
When a bank goes offline, there's trepidation, but people will generally remain calm for a few days. However, even a “perceived” shortage, like with the Colonial Pipeline ransomware attack, will cause the masses to begin hoarding fuel and revert to the primal need to survive.
The military calls this Intelligence Preparation of the Battlefield (IPB). IPB, born out of the Arab-Israeli War of October 1973, offers the "basis for situation and target development," meaning IPB can predict an enemy’s course of action. While Russia and China are targeting critical infrastructure for IPB, Iran targets it for ideological purposes. The attack on several water authorities, such as in Aliquippa, was directed against equipment manufactured by an Israeli firm. It created a propaganda victory, even if it caused no serious damage.
China has been preparing the battlefield, physically and digitally, for years. This preparation includes the activities of the Volt Typhoon threat actor group attributed to China, and the Sandman APT, which according to researchers from SentinelLabs, Microsoft Intelligence and PWC, is likely associated with suspected China-based threat clusters. From disruption of freedom of navigation exercises to dangerous intercepts of military aircraft in international airspace, China combines this with the targeting of critical infrastructure that supports United States military operations such as Guam.
The Washington Post recently reported on the continued campaigns by the Chinese People's Liberation Army to compromise critical power and water systems from Texas to Hawaii, including an oil and gas pipeline. In the event of hostilities, China would reach into its IPB playbook and determine which course of action would achieve military and intelligence goals.
IPB in action: Testing the waters
In March 2022, the United States Department of Justice unsealed indictments against Russian nationals working for the Ministry of Defense and the Federal Security Service (FSB). Among the various offenses committed were attempts to "...damage critical infrastructure outside the United States, thereby causing two separate emergency shutdowns at a foreign-targeted facility" and a successful spearphishing attack against the Wolf Creek Nuclear Operating Corporation in Burlington, Kan.
If an attack on a nuclear power plant wasn't in furtherance of IPB, it certainly wasn't for grins and giggles. And it's not just state actors.
Additionally, the FBI noted in its 2022 Internet Crime Complaint Center Report that 870 out of 2,385 reported ransomware attacks hit critical infrastructure, as ransomware has become a tool of IPB, especially for the Russian Federation. It serves their strategic goals of disrupting U.S. and NATO-linked countries with the implicit approval of the Russian government. How do we know that?
While transnational criminal groups continue to target critical infrastructure, many times, it's done with the implicit approval of an adversarial state actor.
In October 2021, Microsoft reported that Russia was behind 58% of all state-sponsored attacks, North Korea 23%, and China 8%. In a not-so-shocking report from Chainalysis, Russian-linked ransomware groups received 74% of all payments.
None of our main adversaries has an extradition treaty with the United States, or almost any NATO country, for that matter. As ransomware continues targeting and attacking critical infrastructure, it serves the criminals' financial and the nation-states’ IPB goals.
BlackEnergy: Learning from a history of attacks
December 23, 2023, marks the eighth anniversary of the first use of the BlackEnergy malware by Russia to attack the power grid of Ukraine. It was also an attack on the most basic and essential of human needs: survival.
So, as we approach this anniversary, we would do well to remember the lessons of Sun Tzu from The Art of War:
"If you know the enemy and know yourself, you need not fear the result of a hundred battles. If you know yourself but not the enemy, for every victory gained you will also suffer a defeat. If you know neither the enemy nor yourself, you will succumb in every battle."
Many have prognosticated on why Russia picked December 23, 2015, to launch the devastating BlackEnergy attack. It had nothing to do with the holidays, Christmas, or parties.
It had everything to do with December 23, 2014. The headline from Radio Free Europe read: "Ukraine Votes to Abandon Neutrality, Set Sights on NATO." The last thing Russia wants is a NATO-member country on its southern border. The BlackEnergy attack was retribution, pure and simple.
But it wasn't the first attack. In August 1941, German forces were moving through Ukraine as part of Operation Barbarossa, Hitler's plan to invade Russia.
Stalin had the NKVD (the predecessor to the KGB) blow up the Dnieper dam at Zaporizhzhia. At the time, it powered the Dnieprostroi hydroelectric plant, Europe's biggest and most powerful one. The actual video footage is deceptive.
The attack on Dnieper was more than an attack on infrastructure. Nearly 100,000 people were killed, including Ukrainians and Russian troops. Again, on June 6, 2023, officials believe Russia was behind the destruction of the Kakhovka hydroelectric power station in Ukraine, in which flooding from the damaged reservoir threatens the Zaporizhzhia nuclear power plant.
The events of this week prove we have the equivalent of the Wild West ahead of us when it comes to threats against critical infrastructure. As fast as the FBI seized sites belonging to ALPHV/Blackcat, the ransomware group claimed to have "unseized" many of the sites, disputed the actual number of companies whose data could be decrypted, and unleashed its affiliates to "fire at will."
Attacks against critical infrastructure and IPB activities clearly signal that conflict looms on the horizon. We need to prepare ourselves to defend against these attacks on critical infrastructure because bits and bytes are often as destructive as bombs and bullets in future wars.
Morgan Wright, chief security advisor, SentinelOne
