The Russian Hacking of 2016 Was Just a Taste. Here’s What We Could Be In For.

From disinformation to election hacking to attacking trains and banks, the Kremlin tested it all in Ukraine.

Adam Vieyra; Zocha_K/Getty; MLADN61_Getty

Oleh Derevianko was on the road to his parents’ village in Ukraine on a bright June day in 2017 when he got a call from the CEO of a telecommunications company. Computer systems were failing at Oschadbank, one of the largest banks in Ukraine, and the CEO suspected a cyberattack. Could Derevianko’s digital security firm investigate? Derevianko told his response team to look into it and kept driving. Then his phone buzzed again. And again. Something big was happening.

Across Ukraine that day, cash registers suddenly shut down. People trying to withdraw money saw ransom demands appear on ATM screens. Lawmakers in the country’s parliament could not access their laptops. Turnstiles in Kiev’s subway stopped working, and departure boards at the airport went down. Technicians at Chernobyl, the site of the deadly nuclear disaster in 1986, had to manually check radiation levels after their computers failed.

It became clear to Derevianko that this was no random malware. It was an act of cyberwar—the latest digital attack from Russia. The Kremlin had previously targeted Ukraine with information warfare, using social platforms to spread propaganda that exploited ethnic divisions. It had launched cyberattacks on election systems and the power grid. But this attack was the biggest one yet—designed to simultaneously bring down multiple systems to create maximum chaos.

Listen to reporters Pema Levy and AJ Vicens discuss Russia’s threat to the 2018 midterm elections on the Mother Jones Podcast.

That progression, many experts believe, should be a hair-on-fire focus for American security officials. Ukraine showed the evolution of Russia’s digital-disruption arsenal from disinformation and hacking to infrastructure attacks. Everything the Kremlin has done there, these experts say, can and will eventually be deployed against other adversaries. “Any type of attack,” Derevianko told me as we sat in his firm’s glass-walled conference room in the capital, Kiev, “can be launched against the United States.”

I first visited Ukraine in 2008, when I took a two-and-a-half-hour flight from Tbilisi, Georgia, where I lived at the time. It was the same summer Russia invaded Georgia and my first on-the-ground experience of Moscow’s combination of conventional military power and cyberwarfare. Russian tanks rolled past the Georgian border even as Georgian government agencies were hit with cyberattacks that shut down computers or displayed images of former Georgian President Mikheil Saakashvili next to pictures of Hitler.

Because Ukraine was run by a Western-leaning government, speculation that it might be next was pervasive. In 2010, in the Ukrainian town of Lviv, a man with a shock of white hair introduced himself to me on the street wanting to know: “Do you know the history of Ukraine?” I asked why. “Ukraine is a colony of Moscow,” he explained, “and they will try to take us again someday.” I didn’t give it much thought until the spring of 2014, when Russia annexed Crimea and Russian troops started showing up in eastern Ukraine to fight alongside ethnic separatists.

Ukraine wasn’t remotely ready. After years of corruption that depleted its defense ministry’s coffers, Kiev struggled to provide basic necessities to its troops. And it had virtually no defenses against Russia’s increasingly destructive cyberweapons.

In 2015, hackers went after the electrical grid and shut off power to 225,000 Ukrainians. Another attack, in 2016, blacked out one-fifth of Kiev. And last year came the multipronged offensive that would eventually be known as NotPetya (after the Petya ransomware that it partially mimicked).

Jessica Robinson is the CEO of the cybersecurity company PurePoint International. Like many digital security professionals I interviewed for this story, she is convinced Ukraine is “ground zero from the standpoint of being hacked and attacked by Russia. There’s so much that could be learned there.”

There is plenty of indication that Moscow has at least tested the possibility of similar attacks in the United States. As far back as 2014, Russian hackers compromised 500 million Yahoo accounts. In 2016, Russia-backed actors attempted to breach electoral systems in multiple states, according to the Department of Homeland Security. (So far, the administration has refused to publicly confirm which ones.) And in March, FBI and homeland security officials warned that “Russian government cyber actors” had targeted companies and systems involved with America’s water supply, nuclear plants, aviation, and other key infrastructure.

Still, the Trump administration appears to have done little to counter these rising threats. Since 2016, Congress has earmarked $120 million to guard against foreign interference, but the State Department has spent none of it, according to the New York Times. None of the analysts at the department’s Global Engagement Center, which is tasked with taking on Russia’s disinformation campaign, speak Russian.

President Donald Trump has also dragged his feet on enforcing congressionally mandated sanctions against Russia and told the public he believes Vladimir Putin’s assertions that there was no election interference. Admiral Michael Rogers, who heads the National Security Agency and the Pentagon’s US Cyber Command, told Congress in February that Trump had never given an order to disrupt Russian election interference. (Neither the Department of Homeland Security nor the White House would comment for this article.)

“I do not believe that we are prepared and focusing nearly enough on bolstering our cyberdefenses,” Rep. Brendan Boyle (D-Pa.), who championed legislation to direct the State Department to study the Ukrainian experience, told me. “Cyber is the battlefield of the 21st century, and I am deeply concerned that we are woefully unprepared in this area.”

Rep. Boyle’s legislation, which was included in the Pentagon budget bill signed into law by President Trump in August, is intended to send US experts to Ukraine to provide technical support and training and to observe Russian cyberattacks in real time—from disinformation that sows ethnic discord to hacks against critical infrastructure. Aleks Mehrle, one of the organizers of the initiative, says it’s been tough to get Americans to appreciate just how vital it is to understand these attacks.

“Unfortunately the most likely way for the public to understand that the threat is real and will impact their lives will be if a cybersecurity event happens here,” he said. “We hope to never get to that point.”

Junaid Islam, the chief technology officer and founder of Vidder, a California-based cybersecurity firm, told me that one of the most disturbing aspects of the NotPetya attack was that it involved next-generation cyberweapons. Unlike malware activated when a user clicks an email attachment or a link, NotPetya, once installed by an unwitting user in a single computer, spreads by itself through the network connected to the machine. That kind of weapon, notes Islam, can target one person (say, a candidate’s campaign manager) and erase her hard drive as soon as she logs into the network. Or it can target an entire organization, company, or government agency.

Such a self-propagating piece of malicious code, Islam points out, would move even faster in America, where 90 percent of the population has internet access, versus just over half in Ukraine. “That to me is a true cyberweapon,” Islam says.

Cyberattacks against the United States could also target the software that controls power plants or trains—especially the complex systems, known as Supervisory Control And Data Acquisition (SCADA), that manage industrial and transportation infrastructure. Imagine, Robinson says, if New York City’s trains were to stop working on Election Day because their systems were hit with a cyberattack.

For the Kremlin, Robinson says, attacks are not just about inflicting specific damage. “They’re showing their absolute power and ability to do this. And at the end of the day, there are no repercussions for it.” Year after year, she notes, the Kremlin is “getting stronger at attacking other nation states” while the United States is barely reacting.

There’s no telling how the Kremlin will hit America as election season heats up—but at a minimum, says Camille Stewart, an Obama-era homeland security official, we’ll continue to see the disinformation attacks that worked so well in 2016. “If there haven’t been enough precautions put in place,” she says, “they’re likely to use the same methods. Hacking the public confidence has been very effective, and they are likely to continue in that vein.”

Andrei Soldatov, a leading cybersecurity journalist based in Moscow, agrees that Putin has come to see cyberwar as high-reward and low-risk. Back in the early 2000s, Soldatov notes, Russian intelligence agencies found themselves on the losing end of information warfare, as Chechen rebels relied on the internet to spread their message. That’s when the Kremlin began outsourcing disinformation work to students, IT professionals, and underground hackers.

“It was at that moment the Kremlin said, ‘Oh, this could be a really great thing’ because you just need to encourage these people and you can always deny your responsibility,” Soldatov told me at the PutinCon conference this past spring. “That’s why [the Kremlin] has become so adventurous. They don’t see any risks coming their way.”

Dmytro Potekhin met me at a cafe on Kiev’s bustling Shota Rustaveli Street this past winter. With salt-and-pepper hair and smart, black-framed glasses, he looked more like an academic than the human rights organizer he is. For years, he has worked on educating Ukrainians about their voting rights and training them to report irregularities like ballot-stuffing. But recently, he’s increasingly found himself battling Russian disinformation.

The Kremlin has worked vigorously to paint the Kiev government as Nazis who want to rid the nation of ethnic Russians. It has used everything from Russian state media—which regularly features false news reports on Ukraine, such as one claiming the country was training terrorists in Syria—to Facebook, Twitter, and the Russian social network Vkontakte.

To fight these kinds of attacks, Potekhin says, it’s not enough to shut down troll accounts, as platforms like Twitter and Facebook have increasingly done. Instead, he argues, the key is to facilitate one-on-one communication based on relationships of trust. “Social media is a powerful [tool] to undermine democracy,” he told me.

But, he added, the same thing that makes propaganda so powerful on social media—that it spreads via friend networks—also offers a chance to fight back. Research shows, he noted, that challenges to disinformation are more powerful when they come from someone you know. He showed me an app his team was working on, designed to help people spot and call out fake stories their friends are sharing. It’s due to be released later this year in Russian, Ukrainian, and English.

In February, I caught up with Dmytro Shymkiv, a top official charged with overseeing the Ukrainian government’s cybersecurity efforts, as he visited DC to lobby for Rep. Boyle’s bill. During a panel discussion at George Washington University, Shymkiv said that as far back as 2014, he’d warned Facebook representatives about how Russian-backed trolls were using the platform to launch disinformation campaigns. Facebook, he said, told him that they couldn’t interfere with freedom of speech. “Imagine if they had listened to us and did a bit of investigation and probably prevented some of the campaigns that have been running in the US,” he said.

(Facebook did not respond to my request for comment. Twitter sent talking points “on background,” but would not comment on the record.)

The Ukrainian government has banned Vkontakte, the social platform used by 60 percent of Ukrainians who are online. It says Russian security services harvested Ukrainian users’ information from it and recruited ethnic Russians to fight the government. “The people who open an account on Vkontakte, they are basically saying, ‘Okay, I’m ready to provide all my private information to [Russian intelligence],’” Shymkiv told me.

Many cybersecurity experts agree that Trump’s refusal to challenge Putin has left the United States exposed to attacks even more devastating than those of 2016. (See Mother Jones’ recent investigation of election-security risks in the midterms.) Michael Carpenter, the former deputy assistant defense secretary for Ukraine, Russia, and Eurasia, says that because so much of America’s critical infrastructure is privately owned, the government can do little to standardize security protocols. As a result, levels of preparedness vary wildly.

Americans are also more dependent on digital systems, he adds: In Ukraine, “the only way those [nuclear] power plants got back online is because they were so old they had manual functionality. Had our plants been hit by a similar virus, they would have gone down, and the consequences are enormous. I think a lot of Americans haven’t woken up to this yet.”

Carpenter told me bluntly that he believes the president “is turning a blind eye because he is beholden to the Kremlin.” Rep. Boyle, the sponsor of the cybersecurity bill, was more circumspect: The president, he told me, appears to have reacted to every revelation about Russia with a focus on self-preservation.

“This whole topic feeds into his insecurity,” he said. “If we can take this outside the realm of the 2016 election and couch it as an issue of national defense, then I think we have the prospect of being successful.”

But there’s the rub. To protect the nation, Trump would have to acknowledge that his success may have been buoyed by Russian support. And that, it seems clear, he refuses to do.