As raucous pro- and anti-Trump crowds flooded into Washington for the presidential inauguration in Jan. 2017 , the D.C. police department's citywide surveillance cameras stopped recording. Within seconds, 123 of its 178 surveillance cameras, including those monitoring the streets around the White House and the headquarters of multiple federal agencies, had been "accessed and compromised."
The intelligence gap lasted for three days, from Jan. 12 to Jan. 15. Coming on the heels of Russia's covert intrusions into the 2016 campaign, officials at first feared Vladimir Putin -- or other bad actors, from China, Iran or North Korea -- had dramatically upped their game to create more chaos in American society and its politics.
As it would turn out, it was none of them. A couple of lowlife Romanian hackers had stumbled into the system and used it in a ransomware demand for a paltry $60,800 in bitcoin in exchange for releasing control of the system. The suspects were tracked down 11 months later and extradited to D.C., where they pleaded guilty.
The incident still chills veteran agents who've spent decades worrying about such things. It could happen again, in spades, if the crisis over Ukraine overheats into a direct military contest between Russia and the United States, say veteran intelligence officials.
Decades ago, defectors from Russia's GRU military intelligence agency said that its agents had planted weapons caches in the U.S. and Europe for sabotage attacks should a shooting war break out. One said it was "likely" that GRU operatives placed "poison supplies near the tributaries to major U.S. reservoirs," including the Potomac River that supplies Washington, D.C. with drinking water.
The defectors corroborated each others' accounts, but it's unclear whether any caches here were ever discovered. Swiss authorities reported finding a cache that had an exploding mechanism to destroy the evidence should an unauthorized person try to unearth it.
But the January 2017 blinding of DC surveillance cameras "highlights the fact that police, fire, EMS, cities and municipalities are as vulnerable as private sector entities to cyber attacks," says Ammar Y. Barghouty, a retired, highly decorated FBI agent who ran a program responsible for computer threats from terrorist organizations. Like many a homeland security official over the past quarter century, Barghouty, now director of cyber consulting for The Soufan Group, says key infrastructure organizations "should implement best practices" to defend against cyber attacks.
Yes, but it's late, says Bill Evanina, a career FBI special agent who became director of National Counterintelligence in the Obama administration. Utilities and financial networks began "raising their drawbridges" as the Ukraine crisis deepened, he and others say, but the Russians had "already prepped the battlefield for many years," he tells SpyTalk.
"They've been installing malware in critical infrastructure for more than a decade," said Evanina, who also once headed the Counterespionage Group at the CIA.
With Putin threatening war over Western sanctions and the possible transfer of Polish warplanes to Ukraine, Evanina says his "biggest concern is the utilization of intelligence operatives here to do close-access harm." By that he means Russian agents sliding up to targets with electronic devices to throw their operating systems out of whack or offline -- or more, physically cutting their cables and peppering its control offices with expert sniper shots.
Such happened in April 2013 at the Metcalf power facility adjacent to Silicon Valley, an incident that 60 Minutes revisited on Feb. 27. Investigators found that the unidentified perpetrators "shot 100 rifle rounds into 17 transformers, crippling the substation for a month and causing $15 million in damage," NBC's Bay Area affiliate reported in 2015. "The attack lasted just 19 minutes but sparked widespread concern that it was either an act of terrorism or a trial run for an even bigger assault on the nation's power grid." Later investigations showed the shots had been fired and cables cut with unusually high precision. Few physical security upgrades were taken at power stations around the country in the attack's aftermath, 60 Minutes found.
It wasn't Middle East terrorists who attacked Metcalf, U.S. intelligence agancies concluded. The Obama administration stopped short of publicly blaming Moscow, but officials told a congressional committee behind closed doors that only three actors were capable of carrying out such a sophisticated operation: the U.S., Israel and Russia -- and it wasn't Israel. The Russians have been suspected of carrying out more anomalous attacks on U.S. power stations in recent years.
Meanwhile, in 2020, the SVR, Russia's foreign intelligence agency, was fingered in the hacking of the SolarWinds IT management company, which "may have exposed the networks of more than 18,000 corporations and government agencies [and] inserted malware into an update of Orion, the company's software platform that monitors network traffic," a Columbia University panel said. Then, six months later, Russians carried out a massive ransomware attack on Colonial Pipeline, which controls about half of the fuel flowing to the U.S.'s East Coast. Moscow blamed Russian "criminals" for the attack.
Like Evanina, retired CIA senior official Gregory Sims sees all this as Russia prepping the battlefield should war break out.
"Russian doctrine clearly suggests that these vulnerabilities are being exploited not only to harvest intelligence but to reconnoiter critical U.S networks to lay the groundwork for disrupting or destroying them," Sims wrote in January.
U.S. national security leaders, he said, would be well advised to expect the unexpected, a shock on the order of Japan's sneak attack on Pearl Harbor or Al-Qaeda's audacious 9/11 plot.
"In the summer of 1941, U.S. officials knew that war with Japan was a real possibility, especially after imposing an oil embargo in response to Japanese military actions in French Indochina, a crippling blow given that Japan then imported 80 percent of its oil from the United States," Sims wrote for The Cipher Brief, a web site populated by retired intelligence officials. "What was surprising was not that Japan attacked in December 1941, but that it dared to attack the U.S. Pacific Fleet in its home port at Pearl Harbor."
"Sixty years later, in the summer of 2001," Sims added, "warning signs about another foe, this time Al-Qaeda, were also 'blinking red.' The intelligence community repeatedly warned policymakers of indications that Al-Qaeda was planning a spectacular attack. Yet once again, the failure was not in anticipating an attack, but in failing to imagine its breathtaking audacity."
Now the lights are "blinking red" in the cyber realm, but Sims says officials should widen their lens.
"It is worth pondering, for example, that Russia has developed, at tremendous expense, a sophisticated capability using exotic and highly specialized nuclear submarines and ships to attack the extensive network of undersea cables which carry 97% of global communications traffic, including the equivalent of $10 trillion in financial transactions daily," wrote Sims, who served multiple tours as a CIA station chief or deputy chief before retiring in late 2018.
"A coordinated, large-scale attack on this network would have the potential to wreak enormous economic, political, and social havoc on both sides of the Atlantic," Sims added. "In Putin's calculation, might that not be an appropriate response to a Russian ejection from SWIFT or other sanctions designed to cripple the Russian economy?"
Anything's possible, say other veteran intelligence officials, considering Putin's excited state of mind, but the Kremlin's recent history of covert activities suggests its attacks will remain in the cyber realm, its "center of gravity," as former DHS intelligence chief Brian Murphy puts it. Cyber-saboteurs could blow up gas pipelines or open the floodgates of a massive dam.
As for weapons caches, Murphy told SpyTalk in an interview, "We would hear things occasionally…from sources who heard something, from sources with less than credible access. I never heard anything come from it." Then again, he says, "it wouldn't surprise me," because Iranian agents here had been caught in the past extracting ammonium nitrate and other chemicals from cold packs to make bombs. A decade ago, the FBI and DHS put out an alert to local law enforcement to be on the lookout for suspicious accumulations of cold packs. One can expect the Russians to be more sophisticated than that.
The GRU defectors who told their sabotage tales years ago corroborated each others' accounts, but it's unclear whether any caches here were ever discovered. Swiss authorities reported finding a cache that had an exploding mechanism to destroy the evidence should an unauthorized person try to unearth it. But, as Evanina told SpyTalk, just disabling a half dozen major transportation hubs, like airports, via mobile cyber devices could create chaos across the country.
"As you know, we panic like nobody in America, right?" he said. "So my biggest concern is the utilization of intelligence operatives here to do close-access harm."
The U.S. recently booted 13 Russian diplomats suspected of espionage activities, just the latest expulsions going back to the Obama administration.
Alas, it's not only the Russians that authorities have to worry about. Only two weeks ago, three white supremacists pleaded guilty to conspiring to take down power grids in three different regions in order to accelerate "economic distress and civil unrest."
But the main worry right now is Russian intelligence agencies, because of their demonstrated expertise, sophistication and long record of aggression against American institutions, from infrastructure to elections.
"I think Putin is prepared to do whatever it takes," Gregory Sims tells SpyTalk.
"His state of mind should concern the world."
This article by Jeff Stein first appeared on Spytalk.co.