A secret experiment in 2007 proved that hackers could destroy the power grid beyond repair – with just a file no larger than a regular GIF.
Earlier this week, the US Department of Justice released an indictment against a group of hackers known as Sandworm. In the document, six hackers allegedly working for the Russian military intelligence agency GRU were charged with computer crimes linked to cyberattacks around the world, from sabotaging the 2018 Winter Olympics in Korea to spreading the most destructive malware in Ukrainian history.
The attack on Ukraine’s power grid in 2016 appears to have been designed not just to cut off power, but to cause physical damage to electrical equipment. And when one cybersecurity researcher named Mike Assante delved into the details of this attack, he realized that the hack was not invented by Russian hackers, but by the US government, and had already been tested a decade earlier.
WIRED published an article with an excerpt from the book SANDWORM: A New Era of Cyberwarfare and the Hunt for the Kremlin’s Most Dangerous Hackers, published last week. We have translated it and invite you to read a fascinating story about one of the earliest successful experiments in network hacking. Today, it still serves as a powerful warning of the potential effects of cyberattacks on the physical world, and a grim premonition of the coming Sandworm attacks.
On a cold and windy morning in March 2007, Mike Assante arrived at the Idaho National Laboratory 32 miles west of Idaho Falls, a building in the middle of a huge high desert landscape covered in snow and sagebrush. He entered the hall inside the visitor center where a small crowd was gathering. The team included officials from the Department of Homeland Security, the Department of Energy, and the North American Electric Reliability Corporation (NERC), executives from several electric utilities around the country, and other researchers and engineers who, like Assante, were tasked with the National Laboratory to conduct their days in the imagination of catastrophic threats to America’s critical infrastructure.
At the front of the room was an array of video monitors and data links set up to face the stadium seats in the room, like the flight control center of a rocket launch. The screens showed live feed from several angles of the massive diesel generator. The car was the size of a school bus, mint green, a gigantic mass of steel weighing 27 tons, about the same as an M3 Bradley tank. It was a mile from the auditorium, in an electrical substation, producing enough electricity to power a hospital or warship, and making a steady roar. Heat waves emanating from its surface shook the horizon in the image of the video stream.
Assante and his fellow INL researchers bought a $ 300,000 generator from an oil field in Alaska. They sent it thousands of miles to the Idaho Proving Ground, an 890-square-mile piece of land where the national lab maintained a sizable electrical grid for testing purposes, complete with 100 kilometers of transmission lines and seven electrical substations.
Now that Assante had done his job properly, they were going to destroy her. And the assembled researchers planned to destroy this very expensive and enduring mechanism, not with any physical tool or weapon, but with about 140 kilobytes of data, a file smaller than the average cat GIF posted on Twitter today.
Three years ago, Assante was the head of security for American Electric Power ., a utility company with millions of customers in 11 states from Texas to Kentucky. A former Navy officer turned cybersecurity engineer, Assante was well aware of the possibility of hacker attacks on the power grid. But he was dismayed to see that most of his colleagues in the electricity industry had a relatively simplistic view of this still theoretical and distant threat. If hackers somehow got into the utility’s network and started opening circuit breakers, the industry thought at the time was that staff could simply kick the intruders off the grid and turn the power back on. “We could handle it like a storm," Assante recalls the words of his colleagues. “As it was supposed to be, it would be like a shutdown and we would recover from the failure, and that was the limit of thinking about the risk model.”
But Assante, who had a rare level of knowledge of the crosstalk between electrical network architecture and computer security, came up with a trickier idea. What if attackers didn’t just take over network operators’ control systems to flip switches and cause momentary power outages, but instead reprogrammed automated network elements, components that made their own decisions about network operation without checking with anyone?
Specifically, Assante was thinking of a device called a protective relay. Protective relays are designed to function as a protective mechanism to protect against hazardous physical conditions in electrical systems. If the lines overheat or the generator goes out of sync, it is these protective relays that detect the anomaly and open the circuit breaker, shutting down the fault location, saving precious equipment and even preventing fires. The protective relay acts as a kind of lifesaver for the network.
But what if that protective relay could be paralyzed—or, worse, damaged so that it would become a glide path for an attacker’s payload?
This disturbing question was posed to Assante at the Idaho National Laboratory while he was working in the electric power industry. Now, in the lab’s test site visitor center, he and his fellow engineers were about to put their most evil idea into action. The secret experiment was given a code name that would become synonymous with the possibility of digital attacks with physical consequences: Aurora .
The test director read out the time: 11:33. He checked with the safety engineer that there were no strangers around the lab’s diesel generator. He then gave the green light to one of the cybersecurity researchers at the National Laboratory’s office in Idaho Falls to launch the attack. Like any true digital sabotage, this one will be carried out miles and miles away, via the Internet. In response, the simulated hacker sent approximately thirty lines of code from his car to a safety relay connected to a bus-sized diesel generator.
The inside of this generator, until the moment it was sabotaged, performed a kind of invisible, perfectly harmonized dance with the electrical grid to which it was connected. The diesel fuel in its chambers was sprayed and exploded with inhuman timing to move pistons that rotated a steel rod inside a generator engine – the complete assembly was known as the "prime mover" – about 600 times per minute. This rotation was through a rubber bushing designed to dampen any vibration, and then into the electricity-generating components: a levered rod wound with copper wire, enclosed between two massive magnets, so that each rotation induced an electric current in the wires. Spin this mass of wound copper fast enough,
The safety relay attached to this generator was designed to prevent it from being connected to the rest of the power grid without first being synchronized to the exact rhythm: 60 hertz. But hacker Assante in Idaho Falls has just reprogrammed that security device, turning its logic on its head.
At 11:33 and 23 seconds, the protection relay detected that the generator was perfectly synchronized. But then his twisted brain did the opposite of what it was designed for: it opened a circuit breaker to turn off the machine.
When the generator was disconnected from the Idaho National Laboratory’s larger power grid and freed from the burden of dividing that vast system, it instantly began to accelerate, spinning faster. As soon as the safety relay detected that the rotation of the generator had increased to a complete out of sync with the rest of the network, its logic, deliberately reversed by the hacker, immediately connected it to the network mechanism.
The moment the diesel generator was reconnected to the larger system, it was struck with the fatal force of any other spinning generator on the network. All this equipment returned the relatively small mass of the diesel generator’s rotating components to their original, slower speed to match the frequencies of its neighbors.
On the screens, the assembled audience watched as the gigantic machine shook with sudden, terrible force, making a sound like whiplashes. The entire process from the moment the malicious code was launched to the first tremor took only a fraction of a second.
Black chunks began to fly out of the generator’s access panel, which the researchers had left open to observe its insides. Inside, the black rubber bushing connecting the two halves of the generator shaft was torn apart.
Seconds later, the machine shook again as the safety relay code repeated its sabotage cycle, turning the machine off and on again out of sync. This time, a cloud of gray smoke began to billow out of the generator, possibly the result of the rubber pieces burning inside it.
Assante, despite months of effort and millions of dollars in federal funds he spent developing the attack they witnessed, somehow felt some sympathy for the machine as it was being torn apart from the inside. “You start rooting for it like a little engine,” Assante recalled. "I thought, ‘You can do it!’"
The car didn’t survive. After the third hit, she released a larger cloud of gray smoke. After the fourth impact, a jet of black smoke rose 10 meters above the car into the air.
The test director ended the experiment and disconnected the destroyed generator from the mains for the last time, leaving it deadly immobile. In a subsequent forensic analysis, lab researchers found that the motor shaft had collided with the inner wall of the motor, leaving deep gouges on both sides and filling the interior of the machine with metal shavings. On the other side of the generator, its wiring and insulation melted and burned. The car was destroyed.
Silence reigned in the visitor center after the demonstration. “It was a sober moment,” Assante recalls. Engineers have just proven beyond a doubt that hackers attacking an electrical network can go beyond temporarily disrupting the victim’s work: they can damage their most critical equipment beyond repair. “Imagine what would happen to a machine in a real factory, it would be terrible,” says Assante. "With just a few lines of code, you can create conditions that can physically cause serious damage to the machines we rely on."
But Assante also remembers feeling something more serious in the moments after the Aurora experiment. There was a sense that, like Robert Oppenheimer watching the first atomic bomb test at another US national laboratory six decades earlier, he was witnessing the birth of something historic and extremely powerful.
According to Wired.