Exposing the Russian spies who tried to hack into a Kansas nuclear power plant | KCUR 89.3

Three young Russian spies, Pavel, Mikhail and Marat, working from computers in a 27-story skyscraper at 12 Prospekt Vernadskogo in Moscow, targeted the Wolf Creek nuclear power plant in Burlington, Kansas for five years.
They were on a sophisticated cyber reconnaissance mission to learn more about the inner workings of the plant to prepare for a possible precision electronic assault by the Russians.
That’s the story that broke on March 24, when the US Department of Justice suddenly and somewhat mysteriously unsealed an indictment against the ill-fated trio. The indictment was filed under seal on August 26, 2021, in United States District Court in Kansas City, Kansas, and lay in dust for seven months.
Context matters, and in this case, it explains why the Sunflower State and its only nuclear power plant have been woven into a saga with the accents of John le Carré’s spy novel.
The bloody backdrop is the devastating war that Russia launched weeks ago against Ukraine. This also includes the remarkably successful psychological warfare operations that the Biden administration and its Western European allies have launched against Russian President Vladimir Putin and his war machine.
James Lewis, a nuclear cybersecurity expert, said the DOJ indictment is likely unsealed in Kansas now because the Biden administration has new intelligence on the Russians and wants those overseeing the critical infrastructure of America are on heightened alert.
“Maybe the Russians pay more attention to a cyberattack than in the past. It’s driven by what the Russians are doing,” said Lewis, director of the strategic technology program at the Center for Strategic & International Studies in Washington. .
Wolf Creek, completed in 1985, is located approximately 100 miles southwest of Kansas City. Evergy, formerly Kansas City Power & Light, owns 94% of Wolf Creek and the rest is owned by the Kansas Electric Power Cooperative.
United States Nuclear Regulatory Commission
/
Evergy declined to discuss the Russian cybersecurity attack on Wolf Creek. Their statement is, however, illuminating in that it immediately refers to the war in Ukraine.
Chuck Caisley, Evergy’s senior vice president of public affairs, in response to an interview request, instead sent an email stating, “Given the current geopolitical situation and the current cybersecurity threat to the national power grid, in general, we’re not publicly discussing cybersecurity in Evergy or Wolf Creek. In addition to not discussing our point of view, our practices and our protocols in general, we are also not discussing this incident. »
Security experts say that until the presidencies of Barack Obama, Donald Trump and Joe Biden, US intelligence agencies never publicly identified the identities of foreign government hackers. To do so now in a big way is an escalation in the ongoing battle against these threats and was meant to draw the attention of those governments and their agents who had hoped to carry out their dastardly deeds in the dark.
Pavel Aleksandrovich Akulov, Mikhailovich Gavrilov and Marat Valeryevich Tyukov are named in the Kansas indictment.
For them, being publicly labeled as cyber-hackers is “life-changing,” said Tim Conway, industrial control systems program manager at the SANS Institute, which offers cybersecurity training. These guys won’t be able to travel far beyond Russia’s borders for fear of being arrested by international law enforcement agencies.
“For starters, the U.S. Department of State’s Rewards for Justice program offers rewards of up to $10 million for information that identifies or locates individuals, which will limit travel abilities, work abilities, and will likely limit the role in their current organizations,” he said.
Photographs of the three Wolf Creek hackers were included in the indictment. Although unlikely, if you spot them in the Country Club Plaza or at a Kansas City Royals game, you would be well advised to call the FBI.
Experts say their public exposure by US authorities is unique.
“Yeah, yeah, as far as I know, we’re the only ones naming and shaming people,” Conway said.
After receiving a copy of the unsealed indictment, Conway told Flatland that the Wolf Creek attack was akin to a fishing expedition to find out more about the operation of the plant.
“They were building a list to inform future actions,” he said.
Ultimately, Wolf Creek’s security systems would not allow cyber intruders to trigger a collapse that would potentially poison the area and Kansas City, Conway said. Additional layers of security are provided as the factory operating systems are largely isolated from the internet where cyber intruders roam.
If ever there was a catastrophic release of radioactivity at Wolf Creek, Kansas City could very well be on its way, according to KMBC chief meteorologist Bryan Busby.
“So usually before the rain and storms of all kinds arrive, the winds will come in from the southwest, which means any radioactive fallout would be transposed towards us,” Busby said. “Typically, KC has around 105 days of precipitation – around just under a third of the year.”
“Should the people of Kansas City be freaked out by the attacks involved in this campaign that took place years ago? Probably not,” Conway said. “But they should be careful, be like, ‘Hey, this is happening in my state. This is not something that happens in Ukraine or in the world.
The real interest in disclosing information about a cyberattack “that’s been around for a long time,” Conway said, may be tied to Russia’s ongoing attack on Ukraine.
Release of this information now, Conway said, “is absolutely informed by the geopolitical situation around the world” and is likely to cause high-level anxiety in the Kremlin.
“It highlights that things are not going well for Putin,” Conway said.
It also underscores Putin’s predicament of perhaps being caught off guard by his own intelligence agencies, which have underestimated Ukraine’s combat capabilities in recent weeks.
U.S. and allied intelligence agencies have clearly dug deep into Russian cyberattack forces, as the details of the unsealed indictment demonstrate.
How did America get the photos of the Russian hackers and how long has the investigation been ongoing? It’s a question that hackers in Russia – as well as Iran, China and North Korea – are asking themselves now.
Additionally, the indictment detailing how the Russians gained access to various energy and industrial networks provides good information for companies and their suppliers tasked with setting up defenses against future incursions.
The Department of Justice, in a March 24 press release regarding two unsealed indictments, said “two separate conspiracies, targeting the global energy sector between 2012 and 2018. In total, these Hacking campaigns have targeted thousands of computers, hundreds of businesses and organizations, in approximately 135 countries.
An indictment was in Washington, D.C.
The second, filed in Kansas City, Kansas, detailed “a separate two-phase campaign by three Russian Federal Security Service (FSB) agents and their co-conspirators to target and compromise the computers of hundreds of entities linked to the “energy sector worldwide. Access to such systems would have provided the Russian government with the ability, among other things, to disrupt and damage such computer systems at a future time of its choosing,” the press release said. of the DOJ.
Deputy Attorney General Lisa O. Monaco said in the statement, “While the criminal charges unveiled today reflect past activity, they clearly demonstrate the urgent and ongoing need for corporate America to strengthen its defenses and remain vigilant. Alongside our partners here at home and abroad, the Department of Justice is committed to exposing and holding accountable state-sponsored hackers who threaten our critical infrastructure with cyberattacks.
U.S. Attorney Duston Slinkard of the District of Kansas said, “The potential for cyberattacks to disrupt or even cripple the delivery of critical energy services to hospitals, homes, businesses and other places critical to maintaining our communities is a reality in today’s world. .”
The DOJ press release continues: “Between 2014 and 2017…the conspirators moved on to more targeted compromises that focused on specific energy sector entities and individuals and engineers who worked with ICS/SCADA systems.
“As alleged in the indictment, the conspirators’ tactics included spear phishing attacks targeting more than 3,300 users at more than 500 U.S. and international companies and entities, in addition to U.S. government agencies such as the Nuclear Regulatory Commission .
“In some cases, spear phishing attacks have been successful, including compromising the company’s network (that is to sayinvolving computers not directly connected to ICS/SCADA equipment) at Wolf Creek Nuclear Operating Corporation (Wolf Creek) in Burlington, Kansas, which operates a nuclear power plant.
SCADA is short for “supervisory control and data acquisition” computer systems that monitor and control the innards of industrial equipment and processes governing things like power generation in a nuclear power plant and maintaining its operational health.
“Furthermore, after establishing an unlawful presence in a particular network, the conspirators typically used that presence to further penetrate the network by gaining access to other computers and networks of the victim entity,” said the DOJ.
The DOJ praised the Wolf Creek utility operators, saying they “provided invaluable assistance to the investigation.”
The nuclear industry is aware of the importance of protecting its assets from rising cyber threats, according to Rich Mogavero, senior project manager at the Institute of Nuclear Energy, the nuclear industry’s policy organization.
“As one of the nation’s critical infrastructure sectors, the nuclear power industry routinely engages with federal agency intelligence agencies on situational and threat awareness and assesses its preparedness for emerging cyber threats,” he told Flatland in a prepared statement.
This story originally appeared on Flatland, another member of the KC Media Collective.