Somewhere in China, a man typed his user name, "ghost," and password, "hijack," and proceeded to rifle the computers of a utility in the Northeastern US.
He plucked schematics of its pipelines. He copied security-guard patrol memos. He sought access to systems that regulate the flow of natural gas. He cruised channels where keystrokes could cut off a city's heat, or make a pipeline explode.
That didn't appear to be his intention, and neither was economic espionage. While he was one of the Chinese officers the US charged last month with infiltrating computers to steal corporate secrets, this raid was different. The hacker called UglyGorilla invaded the utility on what was probably a scouting mission, looking for information China could use to wage war.
UglyGorilla is one of many hackers the FBI has watched. Agents have recorded raids by other operatives in China and in Russia and Iran, all apparently looking for security weaknesses that could be employed to disrupt the delivery of water and electricity and impede other functions critical to the economy, according to former intelligence officials with knowledge of the investigation. The incursions spurred a debate in the Obama administration over whether and how to respond, and raised alarms among lawmakers briefed on the incidents.
"This is as big a national security threat as I have ever seen in the history of this country that we are not prepared for," said Representative Mike Rogers, a Michigan Republican and chairman of the House intelligence committee, who agreed to talk about the attacks in general terms but declined to discuss specific incidents. "Your palms get a little sweaty thinking about what the outcome of those attacks might have been and how close they actually came."
Preparing battlefields
UglyGorilla's surveillance sortie was one of dozens conducted on natural gas pipelines and electric utilities by People's Liberation Army Unit 61398 over at least 14 months in 2012 and 2013, according to documents obtained by Bloomberg News and people involved in the investigations but who asked not to be named because they weren't authorised to speak publicly.
Unit members appeared to be performing the digital equivalent of mapping the dams or airfields or fuel routes of a potential enemy, what's known in military jargon as preparation of the battlefield. While that kind of spying has been standard practice for centuries, technology is scrambling traditional rules of war, blurring the distinction between intelligence-gathering and aggression.
A satellite capturing images from 600 miles above Earth doesn't cross the line; a navy vessel that sails into another country's waters does. Hackers scanning infrastructure from inside computers that control it are both gathering knowledge for use in combat and moving into a potential battlefield.
'They're practicing'
Operatives vacuumed up caches of e-mails, engineering PDFs and other documents, but it was their focus on supervisory control and data acquisition, or SCADA, systems in industrial computers that most concerned US officials, according to people familiar with the incidents. Attackers could use SCADA systems to manipulate valves to build up pressure and burst pipes or shut down a power plant.
"They're practicing," is how retired Army General Keith Alexander, then head of the National Security Agency, put it to lawmakers in 2012, according to a US official who was present but asked not to be identified because the briefing was private.
In many cases, by the time outside forces have breached a computer system, "they've already done everything they need to attack you," said Michael Hayden, a former director of the NSA and the Central Intelligence Agency. "In addition to doing reconnaissance, and maybe being accepted intelligence practice, they've got a gun at your head."
'Different threat'
The prevailing theory, according to two former senior national security officials, is that the hackers were only testing their skills and stockpiling data, preparing for a war their bosses may never wage, much as the US and Soviet Union built nuclear weapons inventories during the Cold War.
What concerns US defence officials is that while nuclear weapons are so destructive they haven't been used in warfare since 1945, cyberweapons are alluring because they're versatile. An adversary could be tempted by a menu of options, from a subtle disruption of communications systems to the chaos that would result if the power were shut down in Manhattan. Cyberweapons are far easier and cheaper to obtain than nuclear materials, and so is data about the vulnerabilities in industrial control systems that run the electrical grid and water purification plants. The data could be used to develop and experiment with more sophisticated attacks, according to people familiar with the operations.
Remote access
Nation-state hackers are also often freelancers, and the US has identified cases where some employed by Russia and China provided their services to others for a price, according to intelligence officials.
