A Blog by Jonathan Low


Jun 25, 2016

Envisioning the Hack That Could Take Down New York City

The question is when, not if. JL

Reeves Wiedeman reports in New York Magazine:

In February, a hospital in L.A. paid 40 bitcoins, or about $17,000, to get back into its system. Russian hackers have even set up English-language call centers to explain to victims how to acquire and send bitcoins. The day cars drove themselves into walls and the hospitals froze A scenario that could happen based on what already has.
The day cars drove themselves into walls and the hospitals froze A scenario that could happen based on what already has.
On December 4, 2017, at a little before nine in the morning, an executive at Goldman Sachs was swiping through the day’s market report in the backseat of a hired SUV heading south on the West Side Highway when his car suddenly swerved to the left, throwing him against the window and pinning a sedan and its driver against the concrete median. A taxi ran into the SUV’s rear fender and spun into the next lane, forcing a school-bus driver to slam on his brakes. Within minutes, nothing was moving from the Intrepid to the Whitney. When the Goldman exec came to, his driver swore that the crash hadn’t been his fault: The car had done it.1Moments later, on the George Washington Bridge, an SUV veered in front of an 18-wheeler, causing it to jackknife across all four lanes and block traffic heading into the city. The crashes were not a coincidence. Within minutes, there were pileups on 51st Street, the southbound BQE, as far north as the Merritt Parkway, and inside the Midtown Tunnel. By nine, Canal Street was paralyzed, as was the corner of 23rd and Broadway, and every tentacle of what used to be called the Triborough Bridge. At the center of each accident was an SUV of the same make and model, but as the calls came in to the city’s 911 centers in the Bronx and Brooklyn, the operators simply chalked them up to Monday-morning road rage. No one had yet realized that New York City had just been hit by a cyberattack — or that, with the city’s water system, mass transportation, banks, emergency services, and pretty much everything else now wired together in the name of technological progress, the worst was yet to come.2


The fictional account imagined here is based on dozens of conversations with cybersecurity experts, hackers, government officials, and more. An attack of such scope is unlikely, but each component is inspired by events that can, and in most cases have, happened.
1In 2015, carmakers began paying greater attention to the fact that some new vehicles, now connected to the internet, had become as hackable as laptops. In March, researchers found hackers were able to access the ignition on Audi, BMW, Ford, Honda, Hyundai, Kia, Lexus, Mazda, Mitsubishi, Nissan, Range Rover, Subaru, Toyota, and Volkswagen cars.
2Homeland Security recently estimated that one major cyberattack — the NSA chief has said it’s a matter of “when, not if” — could cost $50 billion and cause 2,500 fatalities.
A third-year resident in the emergency room at Columbia University Medical Center in Washington Heights walked through the hospital as a television was airing images from the accident on the George Washington Bridge; that meant several crash victims would soon be heading her way. When she got to her computer, she tried logging into the network to check on the patients who were already there, but she was greeted with an error message that read WE’RE NOT LOOKING FOR BITCOIN THIS TIME.
Columbia, like major institutions across the country, had spent the past few years fighting so-called ransomware attacks, in which hackers locked a hospital or city hall or police department out of its own network until a ransom was paid.3 Hospital security teams had gotten wise to the problem, but every network’s defenses had the same vulnerability: the people who used it.4 For weeks, a group of hackers had been sending LinkedIn messages to employees at Columbia pretending to be recruiters from Mount Sinai. When an employee opened an attachment featuring the recruiting pitch — as ten of them did — and enabled the macros as prompted onscreen — four of them did — they unknowingly unleashed malware onto their computer and gave the hackers a beachhead. After months of lurking5, the hackers blocked Columbia’s doctors and nurses from accessing their network, including patient files. Doctors couldn’t access prescription records telling them which patients were scheduled to take which drugs when and resorted to improvised paper-record keeping6, which many of the younger doctors had never done before. In nearly every corridor, they were consulting with one another in a panic, asking how much of their own expertise was really stored in the cloud and had just disappeared.
3In February, a hospital in L.A. paid 40 bitcoins, or about $17,000, to get back into its system. Russian hackers have even set up English-language call centers to explain to victims how to acquire and send bitcoins.
4Hackers recently sent Pennsylvania drivers fake traffic tickets with malware, using GPS data so the tickets seemed to be from red-light cameras on their route home.
5The average data breach is only identified five months later; hackers were allegedly inside a Ukrainian utility network for six months before shutting off electricity.
6In March, a D.C.-area hospital system was hacked and forced to keep paper records. They got so overwhelmed they turned away cancer patients with radiation appointments.
The crowd in the waiting room swelled and grew more tense as nurses ran by patients, unable to give updates on when they might be seen. Various procedures were taking longer than they should have — one man was kept on a powerful antibiotic for several hours, with serious side effects, before a delayed lab result came back reporting that he should go off the medication — and the staff was having trouble keeping track of patients. A little before noon, a man walked into the hospital looking for his wife, whom he had dropped off early that morning for a simple surgical procedure. A few minutes later, the nurse told him that it appeared his wife had been discharged.
Most New Yorkers were proceeding with their day unaware. But the city’s head of cybersecurity7 had begun to connect the dots: Six hospitals had already informed him that their systems had been shut down, and the city had sent out warnings to all the others. One Police Plaza had just reported that it, too, was locked out of the programs it used to dispatch officers and emergency personnel8, which made responding to the traffic accidents around the city that much harder.
7New York’s first head of cybersecurity started the job earlier this year.
8In April, Newark’s police were locked out of their computer system for three days.
After a few phone calls to friends in the private sector, the cybersecurity chief got more nervous. At the beginning of 2017, one friend told him, she had been called to investigate a mysterious occurrence at a water-treatment plant: The valves that controlled the amount of chlorine released into the water had been opening and closing with unenections to the internet, from wind turbines to thermostats21 to Wi-Fi-enabled baby monitors. As they looked for ways to demonstrate vulnerability — to show just how many mundane features of urban life had been opened up to hackers in recent years — they found themselves focusing on something most New Yorkers use every day. The vast majority of the 70,000 elevators in New York City are not connected to the internet, but building managers had begun taking elevator manufacturers up on their offers to install remote-control systems as a way to cut costs. And so, an hour after the SUVs started crashing, a resident who had recently moved into a new tower in Hudson Yards was riding up to her 22nd-floor apartment when her elevator suddenly jerked to a halt. Across town, a bank of elevators in a Downtown Brooklyn office building that had installed the same software stopped working, with several members of a new-media start-up onboard one car. It didn’t take long for them to begin sharing their lighthearted grievances on social media. One of them pointed out a remarkable coincidence on Facebook: His friend in a different building had gotten stuck in an elevator too.
21In 2014, an Ohio man remotely accessed the thermostat in the home of his ex-wife, who’d left him for another man. “Since this past Ohio winter has been so cold I’ve been messing with the temp while the new love birds are sleeping,” the man wrote in a review of the thermostat on Amazon. “Doesn’t everyone want to wake up at 7 a.m. to a 40-degree house?” He gave it five stars.
By now, officials at U.S. Cyber Command were monitoring the situation in New York. Both the Department of Homeland Security and FEMA had conducted practice operations to see how they would respond to a cyberattack, but this was the first time anyone in the government hadbeen called to respond to a major incident, and it wasn’t entirely clear who was in charge.22 American intelligence had long suspected that this particular group of Europeans might have more-than-indirect ties to the Russian government, but Putin wasn’t saying so, and the Russians quickly denied any involvement, as did the Chinese,23 the Iranians,24 and the North Koreans.25 If they were all to be believed, there were just a few hacker groups with both the expertise and the resources to pull off a multipronged cyberattack, and this one was near the top of that list. But there was only so much the government could do. The group’s members worked separately, and the Defense Department had only the vaguest sense of where they might be. Dropping bombs wasn’t an option.By the time the FDNY rescued the woman in Hudson Yards from her stalled elevator, and she had walked up seven flights of stairs to her apartment, grabbed a beer, and turned on the television, she found CNN airing footage of Wolf Blitzer stalking around the network’s midtown newsroom as befuddled members of the IT department, which didn’t have any better ideas, began unplugging every nonessential device they could. Companies started urging their employees to take the stairs, while many simply sent employees home. The mayor decided to continue running the subways, but at a delay to stagger trains and prevent accidents. Some people didn’t feel like risking it and trudged home through the snow instead. No one wanted to drive, and Uber, which had a number of drivers who used the targeted model of SUV, added a warning to its app that it couldn’t guarantee rider safety. (Still, demand drove surge pricing up to its maximum of 2.8 times the normal fare.) The security consultant who’d found the mess with the water-treatment plant went on TV to tell people that it appeared cyberterrorists had tried to hack the water supply. False reports of attacks on the stock exchange27 and Amtrak and a gas pipeline28 and a factory29 shot around Reddit and Twitter, until nobody wanted to do much of anything but get home, unplug their wireless router, and hope for the best. “With cyberattacks confirmed against cars and several hospitals, it’s impossible to say what might happen next — ” Blitzer said, before televisions around the city went blank. When the power went out, at 1 p.m., hundreds of subway cars carrying thousands of passengers who had decided to risk the ride suddenly found themselves stuck between stations;30 one group that got trapped in an L train under the East River had to walk more than half a mile underground to get to First Avenue, using the light of their dying cell phones to navigate. Many of them said later they were expecting another threat — a bomb, a gas attack — figuring whatever sinister group was behind all this was sophisticated enough to coordinate that, too.Aboveground, traffic lights were out, so anyone willing to drive a car was crawling slowly through the snow. Many of the stranded were worried that the hackers had targeted their bank accounts, spiriting away their savings to some untraceable, block-chain account, possibly to fund future attacks — which were surely coming, according to the panicked chatter on the street. But all the ATMs were down, which made it hard to check. Credit-card readers didn’t work, and neither did Apple Pay, so anyone who’d gone cashless couldn’t buy anything. Stores around the city closed, and sporadic bouts of looting cropped up, along with rumors exaggerating the extent of it and the violence associated with it. Wall Street kept trading on backup generators, although most people wished it hadn’t: Within minutes of the outage, the Dow had plunged.For the hackers, getting access to the power grid had been simple enough. They mailed a USB stick31 to engineers at several companies that operate power-generating facilities in the New York area, with an attached letter saying the stick included an explanation of their benefits package for the upcoming year. Most of the engineers plugged the thumb drive into a home computer, but several took it to work and opened the document there.Knowing what to do once they had breached the system32 was, for the hackers, a more difficult matter. In preparation, they had filled out the team with several electrical engineers who had been involved in a 2015 attack that knocked out power for several hours to a region in Ukraine the size of Connecticut.33 After the team got inside the utility’s networks, the electrical engineers spent several months poring over the code, examining the particular system and equipment that the utility was using, and chatting online with an engineer from one of the utilities whom they had found grousing about his job on a Reddit forum. After six months of trial and error, working on a mirror system they had built themselves for testing, the engineers were able to develop several pieces of malicious code that, once inserted, were capable of damaging transformers and generators throughout several parts of the grid.Power companies are used to handling outages with a variety of causes — hurricanes, squirrels, tree limbs35 — but given the events of the day, Homeland Security36 had already deployed members of its Industrial Control Systems Cyber Emergency Response Team to New York by the time the power went out. As the DHS teams fanned out to the control centers at various utilities, reports had begun to trickle back from engineers who were inspecting substations37 in the field. While some had simply been knocked offline, one worker called back with worse news: Several transformers at one substation were broken.38 Workers at other facilities called back with similar news. The control center had noticed nothing amiss, which didn’t make sense, until the team from the DHS realized that the attackers had manipulated the displays on the control-center computers so that they were presenting information from 24 hours earlier, when everything had been fine. It was just a few lines of code, but the damage39 would last: Transformers are expensive pieces of equipment, and the utilities hadn’t stockpiled enough to replace every one. Getting certain parts could take months.
As night fell, the New York City sky was an inky black. Every building with a backup generator became a gathering place, while everyone else curled up with candles at home. (The FDNY had its busiest night of house fires since the ’70s.) Several people who lived in homes neglected by slumlords, with only electric heaters to keep them warm, were found suffering from hypothermia, and several more died of carbon-monoxide poisoning from a portable generator. The uncertainty over who was doing the attacking, and what the next attack might be, sent many people to bed with a looming dread. Something worse was coming, they were all sure, and every device they owned could be turned against them and was now a threat.
As those who were able to sleep began to wake up the next morning, the attacks seemed to have stopped — though no one could say for certain. Security teams at every company and government agency had worked through the night to safeguard their systems, and the Pentagon, joined by intelligence agencies around the world, was trying to track down the offending hackers, who seemed to have decided to stand down and withdraw for a while. Traffic was light in and out of the city, and the subway remained closed as power came back on in spurts: Parts of the city had electricity within 24 hours, but it took days for other areas to come back online. When the subway finally started running again, it did so with delays and was filled with passengers who glanced anxiously at one another whenever the train unexpectedly hit its brakes. The city’s head of cybersecurity was fired, as were several of the engineers who had plugged in the USB sticks.
Only a dozen people had died in the attack, but the city had undeniably changed. No buildings had been destroyed, no bombs had exploded, no money had been stolen, but each scenario now seemed not just possible but imminent. The direct economic cost41 was sure to be significant — the Dow dropped a thousand points by week’s end — and the personal trauma was still ongoing. The man whose wife had supposedly walked out of the hospital after having her surgery had spent all day and night searching for her, until his cell phone finally died. He went to the hospital the next morning and pleaded with anyone he could find. Eventually, one nurse, who hadn’t slept in 24 hours, found his wife in cardiology, lying lying down in a hospital bed with an IV still stuck in her arm.But the worst damage was psychological. Because the grid that powers New York is connected with a larger regional grid, the outage affected tens of millions of people and set off a national debate that was more unhinged than most — a fearful swirl of xenophobia, Luddism, and political grandstanding. Everything that had looked like progress over the previous two decades now looked more like a Trojan horse: “Smarthome” devices and driverless-car initiatives became political footballs. For every measure to increase funding forcybersecurity,43 there was a congressman demanding that evenwhite-hat hackers,44 who tried to probe systems as a way to point out vulnerabilities before the bad guys got to them, be thrown in jail. The president’s domestic agenda was shelved, as the next 18 months required convincing the American people that their government was capable of protecting them from their own devices, even as security experts acknowledged that there was no way to build a world of interconnected systems that was completely secure. Americans had spent the past decade and a half gradually coming to terms with the fact of anti-American Islamist terrorism,45 mostly by comforting themselves that the perpetrators were far away, separated by not only geography but the massive buffer of America’s national-security apparatus. Now even that apparatus seemed vulnerable to malicious redirection. Air-traffic control, a local bank, the iPhone app46 that came with an electroshock function — cracking those seemed suddenly like child’s play. It was hard to blame people for their anger when they had been told to trust that the devices they brought into their lives were safe, only to find that many of them weren’t. Parents who had done their Christmas shopping on Cyber Monday returned anything with a Wi-Fi connection. Everyone had to be reminded again of all the incredible benefits of a connected world. Doctors had to convince people that their implantable defibrillators47 couldn’t be hacked. Americans begrudgingly accepted the inconveniences experts said were necessary — triple verification, firewalls between firewalls, encrypted encryption — but the phrase cybersecurity theater soon joined its airport predecessor in the lexicon of nanny-state policies. Copycat attacks sprang up around the world: trains going haywire in Japan; smart thermostats freezing pipes in Minneapolis; Chinese hackers noodling around a water utility in San Francisco. Americans suddenly realized that, although they had spent plenty of time anguishing about how to protect the country’s physical borders, with every device they bought, they had been letting more and more invaders into their cities, their homes, and their lives. They had moved everything they did online, thinking they were moving into the future; they woke up the morning after thinking they’d moved into a war zone instead. What frightened people most wasn’t the attack itself, but rather what it foreshadowed. The day after, the hackers had sent a drone flying over the city dropping leaflets with a simple message: WE’LL BE BACK. It almost didn’t matter whether they would.


Post a Comment