Exposing the Russian spies who attempted to hack a Kansas nuclear plant
Over the course of five years, a group of Russian spies targeted the Wolf Creek nuclear power plant in Burlington, Kansas. The Justice Department alleges they were on a sophisticated cyber reconnaissance mission to learn about the inner workings of the plant and prepare for a precision electronic assault.
Three young Russian spies, Pavel, Mikhail and Marat, working from computers in a 27-story skyscraper at 12 Prospekt Vernadskogo in Moscow, over five years targeted the Wolf Creek nuclear power plant in Burlington, Kansas.
They were on a sophisticated cyber reconnaissance mission to learn about the inner workings of the plant to prepare for a possible precision electronic assault by the Russians.
That is the story that broke March 24, when the U.S. Department of Justice suddenly and somewhat mysteriously unsealed an indictment against the hapless trio. The indictment was filed under seal on Aug. 26, 2021, in the U.S. District Court in Kansas City, Kansas, and lay gathering dust for seven months.
Context matters, and in this case it explains why the Sunflower State and its lone nuclear plant have been woven into a saga laced with John le Carré spy novel overtones.
The bloody context is the devastating war Russia launched weeks ago against Ukraine. It also includes the remarkably successful psychological warfare ops that the Biden administration and its Western European allies have thrown at Russian President Vladimir Putin and his war machine.
James Lewis, a nuclear cybersecurity expert, said that the DOJ indictment probably was unsealed in Kansas now because the Biden administration has fresh intelligence about the Russians and it wants those overseeing America’s critical infrastructure to be on heightened alert.
“Maybe the Russians are giving more consideration to a cyberattack than in the past. It is driven by what the Russians are up to,” said Lewis, director of the Strategic Technology Program of the Center for Strategic & International Studies in Washington.
Wolf Creek, completed in 1985, is located about 100 miles southwest of Kansas City. Evergy, formerly Kansas City Power & Light, owns 94% of Wolf Creek and the balance is owned by the Kansas Electric Power Cooperative.
Evergy declined to discuss the Russian cybersecurity attack on Wolf Creek. Their statement is illuminating, however, in that it immediately references the Ukraine war.
Chuck Caisley, Evergy senior vice president of public affairs, in response to a request for an interview instead sent an email that stated, “Given the current geopolitical situation and the ongoing cyber security threat posture relative to the national electrical grid, generally, we are not publicly discussing cyber security at Evergy or at Wolf Creek. In addition to not discussing our perspective, practices and protocols generally, we are not discussing this incident either.”
Security experts say that until the presidencies of Barack Obama, Donald Trump and Joe Biden, U.S. intelligence agencies never publicly identified the identities of foreign government hackers. Doing so now in a big way is an escalation on the ongoing battle against these threats and meant to get the attention of those governments and their agents who had hoped to do their dastardly deeds in obscurity.
Named in the Kansas indictment are Pavel Aleksandrovich Akulov, Mikhailovich Gavrilov and Marat Valeryevich Tyukov.
For them, being publicly branded as cyber hackers “is a life changer,” said Tim Conway, industrial control systems curriculum lead at the SANS Institute, which provides training on cybersecurity. These guys will not be able to travel much beyond Russia’s borders for fear of being seized by international police agencies.
“For starters, there are rewards out from the U.S. Department of State’s Rewards for Justice program for up to $10 million for information leading to the identification or location of the individuals, which will limit travel capabilities, work capabilities, and likely limit the role in their current organizations,” he said.
Photographs of the three hackers of Wolf Creek were included in the indictment. While unlikely, if you spot them on the Country Club Plaza or at a Kansas City Royals game, you would be well advised to call the FBI.
Experts say their public exposure by American authorities is unique.
“Yes, yes, to my knowledge we are the only ones naming and shaming people,” Conway said.
After being provided a copy of the unsealed indictment, Conway told Flatland that the attack at Wolf Creek was akin to a fishing expedition to learn more about how the plant operates.
“They were building a list to inform future actions,” he said.
Bottom line, safety systems at Wolf Creek would not allow cyber intruders to trigger a meltdown that would potentially poison the region and Kansas City, Conway said. Added layers of security are provided because operating systems at the plant are largely siloed from the internet where cyber intruders roam.
If there ever was a catastrophic release of radioactivity at Wolf Creek, Kansas City could very well be in its path, according to Bryan Busby, KMBC chief meteorologist.
“So, usually before rain and storms of any sort move in, the winds will come in from the southwest, meaning that any radioactive fallout would be transposed toward us,” Busby said. “As a rule, KC has about 105 days of precip — roughly just below one-third of the year.”
“Should people in Kansas City be panicked from attacks involved in this campaign which occurred years ago? Probably not,” Conway said. “But they should pay attention, saying to themselves, ‘Hey, this is happening in my state. This is not something happening in Ukraine or around the world.’”
The real point of releasing information about a cyberattack “that has been out for a long time,” Conway said, may be tied to Russia’s ongoing attack on Ukraine.
Publishing that information now, Conway said, “is absolutely informed by the geopolitical situation around the globe” and is likely to cause high level anxiety in the Kremlin.
“It highlights that things aren’t going well for Putin,” Conway said.
It also underscores Putin’s predicament of possibly being blindsided by his own intelligence agencies, which underestimated Ukraine’s fighting abilities in recent weeks.
American and allied intelligence agencies clearly have burrowed deeply into Russia’s cyberattack forces — as demonstrated by the details in the unsealed indictment.
How did America get the pictures of the Russian hackers and how long has the investigation been under way? That is a question hackers in Russia — as well as Iran, China and North Korea — are now asking themselves.
In addition, the indictment detailing how the Russians gained access to various energy and industrial networks provides good information for companies and their vendors tasked with having to build up defenses against future incursions.
The Department of Justice, in a press release issued March 24 about two unsealed indictments, said "two separate conspiracies, targeted the global energy sector between 2012 and 2018. In total, these hacking campaigns targeted thousands of computers, at hundreds of companies and organizations, in approximately 135 countries.”
One indictment was in Washington, D.C.
The second, filed in Kansas City, Kansas, detailed “a separate, two-phased campaign undertaken by three officers of Russia’s Federal Security Service (FSB) and their co-conspirators to target and compromise the computers of hundreds of entities related to the energy sector worldwide. Access to such systems would have provided the Russian government the ability to, among other things, disrupt and damage such computer systems at a future time of its choosing,” the DOJ press release stated.
Deputy Attorney General Lisa O. Monaco said in the release: “Although the criminal charges unsealed today reflect past activity, they make crystal clear the urgent ongoing need for American businesses to harden their defenses and remain vigilant. Alongside our partners here at home and abroad, the Department of Justice is committed to exposing and holding accountable state-sponsored hackers who threaten our critical infrastructure with cyber-attacks.”
U.S. Attorney Duston Slinkard for the District of Kansas, said, “The potential of cyberattacks to disrupt, if not paralyze, the delivery of critical energy services to hospitals, homes, businesses and other locations essential to sustaining our communities is a reality in today’s world.”
The DOJ press release continued: “between 2014 and 2017 … the conspirators transitioned to more targeted compromises that focused on specific energy sector entities and individuals and engineers who worked with ICS/SCADA systems.
“As alleged in the indictment, the conspirators’ tactics included spearphishing attacks targeting more than 3,300 users at more than 500 U.S. and international companies and entities, in addition to U.S. government agencies such as the Nuclear Regulatory Commission.
“In some cases, the spearphishing attacks were successful, including in the compromise of the business network (i.e., involving computers not directly connected to ICS/SCADA equipment) of the Wolf Creek Nuclear Operating Corporation (Wolf Creek) in Burlington, Kansas, which operates a nuclear power plant.”
SCADA stands for “supervisory control and data acquisition” computer systems that monitor and control the guts of industrial equipment and processes governing such things as generating power in a nuclear plant and maintaining its operational health.
“Moreover, after establishing an illegal foothold in a particular network, the conspirators typically used that foothold to penetrate further into the network by obtaining access to other computers and networks at the victim entity,” the DOJ said.
The DOJ gave a shoutout to Wolf Creek’s utility operators, saying they “provided invaluable assistance in the investigation.”
The nuclear industry is mindful of the importance of safeguarding its assets in the face of mounting cyberthreats, according to Rich Mogavero, senior project manager at the Nuclear Energy Institute, the policy organization of the nuclear industry.
“As one of the nation’s critical infrastructure sectors, the nuclear energy industry routinely engages with federal agency intelligence agencies on situational and threat awareness and assesses its readiness for emerging cyber threats,” he told Flatland in a prepared statement.