A leaked U.S. intelligence assessment includes a stark reminder of the threat that hackers can pose to critical infrastructure.
The assessment, which mostly focuses on Ukraine’s military effort against Russian forces and is believed by a senior U.S. official to be authentic, includes a warning that Russian hacktivists broke into a Canadian gas infrastructure company this year and have received directions from Russian intelligence.
That access could provide a way to cause significant damage and possibly an explosion, the assessment notes. Such an attack is considered extremely difficult to pull off but remains among the intelligence community’s worst fears. And though no such major attacks have been found just yet, experts say they are an ever-present threat.
“It’s not the first time somebody’s gained access to critical infrastructure,” said John Hultquist, the vice president for threat intelligence at the cybersecurity company Mandiant, which is owned by Google. “It happens constantly. The Russian intelligence services do it all the time.”
The hacktivists, a Russian-speaking group called Zarya, broke into the computer network of an unnamed Canadian gas distribution facility in February and sent Russia’s FSB intelligence agency screenshots of what it claimed were controls “to increase valve pressure, disable alarms, and initiate an emergency operation [that] would cause an explosion,” the U.S. assessment says.
NBC News has not verified that claim, and it is unclear what company was involved. The official also said some of the documents may have been altered before they were posted online, though this part of the assessment shows no obvious signs of changes.
“If Zarya succeeded, it would mark the first time the IC has observed a pro-Russia hacking group execute a disruptive attack against Western industrial control systems,” the assessment says, using an abbreviation for the intelligence community.
No such disaster appears to have happened. But the assessment illustrates both how the U.S. worries about destructive hacks against Western energy infrastructure and how Russian intelligence can rely on domestic criminal hackers to work for them.
The assessment, marked Top Secret, comes from a cache of more than 50 pages of classified documents that surfaced online in recent days after languishing in obscure corners of the internet. U.S. officials have declined to comment on the authenticity of specific documents, but one official told NBC News that they do appear real. It’s unclear who originally leaked the documents or why.
The Zarya assessment was first reported by the journalist Kim Zetter. A spokesperson for Russia’s embassy in Washington didn’t immediately respond to a request for comment.
The U.S. generally views hacking to conduct espionage as a common tactic used by all sides, while cyberattacks that cause physical destruction are seen as a dramatic escalation.
Dozens of intelligence documents about U.S. adversaries and allies leakedApril 10, 202301:54
“I think the big issue here is whether or not they decide to leverage that access for some sort of disruptive or destructive attack,” Hultquist said.
The Canadian Centre for Cyber Security declined to address the specific claim in the U.S. assessment. But an agency spokesperson said it does worry about hackers gaining access to critical infrastructure.
“We remain deeply concerned about this threat and urge critical infrastructure owners and operators to get in touch with us to work together to protect their systems,” the spokesperson said.
Lesley Carhart, who leads incident response in North America for Dragos, a company that specializes in cybersecurity for industrial systems, said that they found it believable that a hacktivist group like Zarya could have gotten access to a gas distributor, but that it would have taken far more effort to actually cause an explosion.
“A process like that has redundancy. Human controls. Digital and physical safety controls. It’s designed to not explode even if someone makes a mistake,” Carhart wrote in a text message.
Zarya is one of several pro-Russia hacker groups that frequently pester targets related to NATO and Ukraine-allied countries. While they frequently knock websites offline for a short period, they rarely display the capability to cause serious damage.
There are about 20 such groups, most of which have appeared in the past two years, starting about when Russia began invading Ukraine, said Sergey Shykevich, who tracks threat intelligence for the Israeli cybersecurity company Check Point Software.
Zarya chronicles its exploits on its Telegram channel, where it mostly brags about knocking sites offline. Its posts don’t mention an attack on Canadian energy infrastructure, and the group has explicitly claimed to be unaffiliated with the Russian government.
Chris Painter, the state department’s cyber ambassador in the Obama administration, said that Russian intelligence does frequently lean on its rich pool of domestic cybercriminals to achieve their goals.
“It’s one of the tools in their toolkit to use these proxies, because in a sense, it evades direct responsibility,” Painter said. “They can always say, 'Well, it wasn’t us. It was a criminal group.'”