Every Cyber Attack Facing America

Yahoo

02-06-2025

Coordinated attacks on electrical grids. Quantum computers making encryption technology useless. Deepfakes that are nearly impossible to discern from reality, or an army of AI agents hacking networks with once unthinkable-speed and efficiency. These are only a few of the threats that could be facing the United States in the very near future—if we aren't already. Today WIRED takes a deep dive into how vulnerable our current systems and networks are to the future of cyber threats.
- Everybody knows how technology can make our lives better or a little easier, but it can go the other way too.
- Soon, it will actually be impossible for a human being to tell if the face that they're looking at is real.
And that's a very scary new reality.
- Today, we're talking about future tech threats, including AI deepfakes, cyber attacks on electrical grids, quantum computers, and a lot more.
This is "Incognito Mode."
[gentle music] [keyboard clanking] One of the doomsday scenarios that experts have worried about for decades is a major cyber attack on the US electrical grid.
Now, Andy, you've written a literal book about cyber attacks on electrical grids and the hackers behind them.
Tell us about that.
- As with so many of these different kind of future threats, we've already seen it play out in Ukraine, which is so often the canary in the coal mine because it is so targeted by Russian hackers.
And in fact, we've seen one specific group of Russian hackers called Sandworm cause blackouts three times in Ukraine, the only hacker-induced blackouts in history.
The first one of these was in 2015.
These Russian state-sponsored hackers broke into a collection of electrical utilities in Western Ukraine and turned off the power for a quarter million Ukrainian civilians.
Then they did it again the next year in the capital this time, in Kyiv.
In that case, they used this kind of automated tool known as Crash Override, or Industroyer.
It was essentially kind of blackout-inducing bots that could open circuit breakers with kind of automated speed.
Now, in both of those first two blackouts in Ukraine, the power outage only lasted a few hours.
But in the second of those two attacks, we did also see this troubling tactic, which was that the Sandworm hackers actually tried to disable a piece of safety equipment called the protective relay.
They intended it that when the Ukrainian engineers tried to turn the power back on, they might have overloaded lines to cause them to burn or exploded the transformer, and that would've been a kind of physical destruction of grid equipment that could have led to outages of weeks or a month.
And that only actually failed because of a tiny misconfiguration in the hacker's malware.
And in the midst of Russia's full-scale invasion of Ukraine starting in 2022, they haven't stopped attacking the Ukrainian power grid both physically and with cyber attacks, and in one case they succeeded in causing a blackout in the midst of an airstrike, in the midst of missiles raining down on the city that was blacked out.
- So, the US grid, as I understand it, it's not just one centralized local grid.
The United States is enormous, so we've got the East, we've got the West, and we've got Texas, which is its own thing for some reason.
And then within those we have all these utility companies that connect to these grids.
So, we're talking about a bunch of different entities.
How complicated would it be to kind of target even one of these regions in the United States?
- Well, I think that causing like a massive blackout across the whole region in the US would be quite difficult.
The cyber attacks we've seen so far in Ukraine are relatively localized.
You know, the idea of like this kind of nightmare scenario of blacking out the entire eastern seaboard for a month, I don't think we've ever seen a hacker group capable of doing that.
Not to say that it's not technically possible somehow, but what we have seen that's very worrying is this one group of Chinese state-sponsored hackers called Volt Typhoon gaining access to electric utility networks in the US across the entire country.
And it seems that they're trying to pre-position to be ready for some date in the future when they might choose to pull the trigger and cause blackouts perhaps in many simultaneous cyber attacks.
And of course, the date that we have to guess that they're preparing to do that would be on the eve of the invasion of Taiwan that Xi Jinping, the Chinese head of state, has said he wants the Chinese military to be ready for by 2027.
That could be a kind of tactic in the Chinese playbook to delay an American response to that invasion, or perhaps more specifically, to cut power to US military bases that would hamper our military response to that actual invasion of Taiwan.
I have sometimes thought like the threat of a power grid attack has become overblown because it's kind of like the quintessential cyber nightmare.
So, at one point I even did ask an NSA official, "Are you actually scared of a cyber attack on the grid?"
And he said that he absolutely was because of this notion that the electric grid underlies every system that we have come to rely on, GPS, internet, water, all of it depends on electricity.
It is in some ways like the fundamental lowest layer of the tech stack of America, - And this is one of the reasons why cyber attacks on electrical grids kind of loom large in the cybersecurity mind, is that this is a hack that can potentially cause physical damage in the real world that then makes the attack much more consequential.
- Right.
If the power turns off for a few hours, I think we have backup systems, we have natural disasters that cause that.
We're ready to bounce back.
If transformers are destroyed, however, these are custom pieces of equipment that are hard to replace.
We may not be ready for a long timescale of outage against an actual malicious adversary that's still there in the network, still trying to cause more damage.
We saw how difficult it was, for instance, for Spain and Portugal to turn the power back on across an entire country.
Well, imagine if you're trying to perform that recovery while an active adversary is also trying to sabotage every step you take to recover.
- Terrifying.
[gentle music] Hey, it's me.
Don't recognize me?
How about now?
AI-generated deepfakes are everywhere on the internet.
You've probably laughed at ones of politicians or celebrities, but did you know these tools can be used for nefarious purposes against you?
What in your reporting have you seen deepfakes being used for?
- Well, we've already seen deepfakes being used for two of the most lucrative form of cyber crime that we know about.
One is what people call business email compromise, where a hacker is kind of impersonate someone inside a company and trick the executives into sending money where they shouldn't.
We've seen one company tricked into sending $25 million to a hacker who impersonated an employee.
The other is romance scams, or other kinds of what people call pig butchering, where a victim is tricked into sending sometimes millions of dollars to a fake crypto investment.
I've seen listings on black markets where crypto scammers are selling each other deepfake tools to be able to impersonate someone's face, and both of these are already making tens of billions of dollars in revenue a year, truly two of the biggest categories of cyber crime in existence, and both of them are going to be absolutely supercharged by deepfakes.
- Most of the nefarious uses of deepfakes involve scams, people trying to steal people's money.
Deepfakes used by scammers can be put together quickly and they don't have a lot of resources to put into them sometimes, but they can also be used in geopolitical settings, fake news on steroids.
[speaking in foreign language] The producers of fake news are able to put a lot of resources into making sure something looks reliable and it makes it really hard to detect when something's actually fake.
Unless you're a digital forensics expert, detecting fake news can be really difficult.
The technology is just rapidly improving.
It's becoming pretty commonplace to be able to get access to these tools.
You don't have to be a specialized hacker or anything to get them.
You can just kind of download these tools and use them for whatever means you want to.
- Definitely, and I think the real time deepfake video tools that I've seen are not seamless, they're quite detectable for like a not super gullible human being today, but I think what we're talking about is a very near future where these tools are only going to improve and soon it will actually be impossible for a human being to tell if the face that they're looking at is real, and that's a very scary new reality.
- You know, one of the ways people protect themselves from traditional scams, even before deepfakes, is you're just familiar with what a phishing email looks like and you learn to look out for it, but at some point the fakes become so good, you can't tell what's real and what's fake.
- I think we're used to telling people too as a safeguard, "Yeah, if you can't tell if this text is fraudulent, then get somebody on a call.
If that doesn't work, you get somebody on a video."
When none of that works, then we have to come up with new protocols, like, you know, do you have some sort of secret code word?
Do you check if somebody can remember your last conversation?
You know, all of these things, we'll have to kind of figure them out in this new deepfake future.
- AI has really taken all the headlines as this big emerging technology and all the potential threats around it.
Another emerging technology is quantum computing that's continuing to evolve.
One of the things that security experts kind of worry about with regards to quantum computing is that it could just break all encryption.
What have you seen about this?
- Right, well, this is what some people call Q Day, like, this perhaps near future doomsday scenario where quantum computing becomes powerful enough to break these crypto systems that we have built an entire society on.
It turns out that there are some kind of post-quantum crypto systems that can't be broken even by quantum computers.
So, Google, for instance, has been very vocal about switching to post-quantum crypto.
Signal, the encrypted messaging app, has also switched to post-quantum crypto, and that ought to be reassuring.
But the troubling thing is just how many systems out there may not be using post-quantum crypto, and when quantum computing suddenly appears, they can just all be broken and all of our secrets will be accessible and it'll be like that moment in "Sneakers" when like suddenly the entire internet is decryptable.
- Anybody wanna shut down the Federal Reserve?
- For instance, Bitcoin we know doesn't use post-quantum crypto.
If a quantum computer arrived today, it seems like somebody would be able to steal hundreds of billions of dollars.
Bitcoin would probably go to zero immediately, and that's only gonna be fixed when the entire Bitcoin community decides to adopt new crypto technologies and implement them across the network, which is a really big undertaking and may not happen in time.
- The issue with quantum computers is that they're just much faster at breaking encryption than a traditional computer.
While a traditional computer can take over a hundred million years to break certain types of strong encryption, a quantum computer can do it in just a few hours.
WIRED's Amit Katwala recently interviewed several experts about the coming quantum apocalypse.
According to one survey, experts believe Q Day is gonna arrive by 2035, if not sooner, and some think there's a 15% chance it's already happened.
Now, if Q Day does actually arrive, that means everything from military intelligence secrets to access to critical infrastructure to your own private data and messages could all be exposed.
It's not just the end of privacy as we know it, it's the end of any control over all the systems that we use every day.
Experts kind of compare this to Y2K when, if you don't remember, Y2K is when the computer systems use two digits to denote the date zero zero, and everybody was worried that everything would break because the computers would think it's 1900 instead of the year 2000.
Now, Y2K has kind of become a joke because everybody pitched in and fixed the problem before it was actually a catastrophic issue.
- Midnight has come in Russia, there's no Y2K problem at all.
- And in this case, it's the same kind of situation where we need a bunch of different systems, many thousands I'm sure is an understatement.
- Well, exactly.
I think talking about it like Y2K is part of why I've always kind of dismissed this, like, "Oh, it's some problem for the nerds.
They'll deal with it in time."
But the thing about Y2K was that we knew exactly when it was gonna happen.
This doomsday, we don't know when the deadline is, and in fact, there's some adversary out there building a quantum computer.
They know perhaps when they're gonna have one, and we don't.
And we also don't know if somebody may have actually even now built a quantum computer in secret and have the ability to crack all of these crypto systems and access secrets that we can't even imagine.
- There's basically two categories when we're talking about quantum computers breaking encryption, it's keeping of secrets and managing access to systems.
If the encryption is broken, then you can't keep anything secret and you can't keep anyone out of any system.
- And to your point, they would also be able to mess with things, take control of all of the digital systems that control the power grid or air traffic control.
It's really hard to imagine the level of actual havoc that they could wreak.
And really, like, some other countries could be storing all of this encrypted data that's traveling across the internet and just keeping it and waiting for the day when Q Day arrives and they have this computer capable of cracking all of that.
- Yeah, absolutely.
You make a great point that the data that's already been stolen is not gonna be updated alongside those systems, and so all of those secrets could still be cracked.
- We really can't move to post-quantum crypto systems fast enough.
- One of the systems we don't really think about, because it's just everywhere and we take it for granted, is GPS.
If it goes down, things get bad really quickly.
And it's not just the navigation app on your phone.
It's trains, airplanes, boats, all types of systems that people rely on, and it could really cause major disruptions.
GPS is just one of several global navigation satellite systems, or GNSS, that are used around the world.
Europe has Galileo, Russia has GLONASS, China has BeiDou, but the US is really reliant on GPS alone.
The US' reliance on GPS makes it particularly vulnerable because the government hasn't created any backup systems like they have in other countries.
It's used by transportation systems, emergency services, financial institutions.
Basically everything runs on GPS and you might not even know it.
- We've seen, for instance, in the war in Ukraine that Russian and Ukrainian soldiers have been using GPS jamming and spoofing to try to disrupt each other's drones and prevent drone attacks.
But in those cases, we've also seen collateral damage.
Those jamming devices are like very blunt instruments.
They send out their radio jamming in all directions in a wide range.
We've seen them affect civilian aircraft even, and I believe our colleague Matt Burgess has written about how civilian aircraft have had to be rerouted, sent back to the airport of their origin because of GPS jamming in the Ukraine war.
- Yeah, so this is something that's already happening on a small scale, but there's the potential, if there's a major war between the US and China, where these systems could be disrupted on a much bigger scale.
It's not just spoofing and jamming attacks that we have to worry about.
There's also attacks on the actual satellites themselves.
We know some countries have developed satellite technology to take out or disrupt satellites in orbit.
The fact that countries are carrying out these kinds of attacks shows just how valuable GPS is and how vulnerable it can be.
- Yeah, I remember in this science fiction book from 10 years ago now called "Ghost Fleet," they posit this future war with China where the first shot of that war would be China destroying all of the US' satellites.
That is plausible.
We've seen China and Russia demonstrate the ability to destroy satellites.
China has shown that it can use a satellite to grapple onto another one and pull it out of orbit.
These sound like science fictional threats, but they are practical.
And we've never really thought about what our country would look like if all of GPS were suddenly disrupted.
- If you've used generative AI tools like ChatGPT, you know how powerful they are.
They give you the ability to write an essay in seconds, or create a business plan on something you might not even know anything about.
The same for writing code.
Programmers everywhere are already using generative AI to write code that they're deploying in the world.
But the same goes for hackers.
- AI for so many people is a kind of glorified productivity tool, and it seems like it is that for now for hackers too.
Chinese hackers are using generative AI to write better phishing emails in perfect English now.
They are almost certainly writing malicious code with AI too, because all software developers are using AI to write code, but that's not like truly autonomous hacking bots out there somewhere on the internet, which is the scary future thing we're talking about.
But I think that's coming.
At some point, we will see fully autonomous hacking agents, and I think we may even see a future where AI is able to automatically find zero-day secret vulnerabilities in code and exploit it immediately, and that's quite scary.
- These tools can be used by hackers in a couple of different ways.
One, they can write code that somebody who isn't really skilled wouldn't have any ability to do.
More and more people could become hackers.
So, you have these script kiddies writing tools in large language models and deploying that code with unknown consequences.
Then we get to the professional level where both the good guys and the bad guys are using these tools.
You have white hat hackers using them to find zero-days, or secret vulnerabilities in code nobody's been able to patch.
AI can be really useful for protecting these systems, but you also have black hat hackers.
They can use it to write malicious code that they might not otherwise be able to create and deploy that code in more sophisticated ways.
- We've talked for a long time about the problem of zero-days, this idea of a secret vulnerability in a piece of software where the company that makes that software has had essentially zero days to fix it.
AI is going to be able to find those zero-days in an autonomous way at some point.
- As these technologies advance, you can imagine a future where there is an AI that you can point it at a certain system and say, "Go hack that system and it'll go in," and it'll analyze the code that it's seeing, find vulnerabilities in real time, write malicious code in real time, and then gain further access into those systems, be able to exfiltrate data and just kind of cause all the havoc that hackers can already, but much more efficiently, much quicker, and maybe on a much bigger scale.
- I think the real issue though is that defenders definitely need to be using AI or they're gonna be left behind.
- Things aren't necessarily gonna become instantly more secure or less secure one way or the other.
We report on systems getting hacked almost every day here at WIRED, and so that reality is gonna still be there, it's just the question of will the teams defending against this stuff be adopting it effectively as well as the malicious hackers?
And we just don't know how that's all gonna play out.
If you've ever been in a natural disaster and the cell networks go down, you know just how helpless and stranded you feel.
Now, imagine that's happening to everybody everywhere.
We're just not ready for our cell networks to go down.
In addition to natural disasters, there've been several cyber attacks on cell phone networks in various countries around the world.
There's also been repressive regimes that have taken the cell phone networks down on purpose to quell protests.
- We've seen a cyber attack launched against Ukraine's cellular provider Kyivstar in December of 2023, turn off cellular service to millions of Ukrainians.
This was the Russian hacker group Sandworm trying to disrupt the communication systems for the whole populace of the country.
And we've also seen governments purposefully turn off cellular access in Myanmar and India and Iran, sometimes for a week at a time, just as a way to quell descent.
We've never seen this happen in the US, but I think we can easily imagine that it's possible, either with insider access or from an external threat.
And we've also seen it just happen because of natural disasters and terrorist attacks in the US where there's a crisis and everyone overwhelms the network, just trying to reach loved ones or emergency service providers.
And one of the solutions that people have been talking about is like a kind of peer-to-peer mesh radio, like, I think you've been looking into this.
- Yeah, we've been looking into this type of technology that's called Meshtastic.
So, actually I have one of the devices here, and it looks like a little pager, if you remember those, but it's basically just a radio, a circuit board, and an antenna.
These devices come in a bunch of different forms.
Some of them look like the old Blackberry devices.
They have actual keyboards, some of them have touch screens.
Some of them are really simple with just like a 3D printed case like this one.
Basically, all the devices work the same.
Meshtastic is a radio-based mesh network that uses long range radio to send encrypted messages between devices across distances of up to 200 miles.
Meshtastic is an open source software project.
It's not maintained by any one company, and pretty much anybody can get involved with the Meshtastic community.
Unlike cell phones that connect to a tower to communicate, Meshtastic is a peer-to-peer network, meaning that each device communicates with other devices in the area.
You're able to use this without cellular service, without wifi.
You can connect it to your phone, so you can text straight from there.
And the device itself is what's sending the message, and it's really low bandwidth, so you can't really send much information, but the good thing is that it's really not reliant on any centralized system like a cell network.
- And the cool thing about it is that you don't have to be within line of sight of the recipient of the message, you just have to be in line of sight of some other Meshtastic radio so that you can connect to the whole mesh, and then that message gets passed around among all these peers until it reaches the intended recipients.
That's the cool thing about it, I guess, is that like the more of these radios connect to the network, the more powerful it becomes.
- It's still really early days for this.
There's not that many people who have a Meshtastic device compared to, say, a cell phone, of course, but if you live in a city, there's a good chance you're gonna have some type of Meshtastic network already set up and you're gonna be able to communicate with each other.
- It does seem like this is maybe the first step in creating a system that would survive a larger disruption of centralized cellular service.
- Meshtastic is real useful during, say, natural disasters when the phone lines are down, but can also be useful if you're just an area with poor cell coverage, like out for a hike.
Meshtastic can't replace your cell phone altogether, but it's gonna work when a cell phone isn't.
This has been "Incognito Mode."
[futuristic musical tones]