Die Zeit: The West is poorly protected from cyber attacks and is in a vulnerable position
The world is in a state of cold cyber warfare, and digital security in Germany leaves much to be desired, said American hacker Chris Kubeka in an interview for Die Zeit. Moreover, many government systems are completely unprotected, making them incredibly vulnerable in the 21st century.
Tim Geyer
IT expert Chris Kubeka identifies vulnerabilities in power plants, water supply systems and power grids in Europe. According to her, the opponents of the EU have long been established within the system itself.
Chris Kubeka is one of the most famous hackers in the world. Now the American is speaking at a conference in Athens in front of security experts. In between two panel discussions, she has time for a video call with us. A cybersecurity expert from the United States runs his own company HypaSec, which advises governments and government agencies, and reports to the United Nations, the EU, Europol, and Interpol. After a cyberattack infected 35,000 computers of Saudi Aramco, the world's largest oil company, in 2012, Kubeka was tasked with restoring all systems. Then, for several years, she was responsible for the digital security and intelligence activities of this corporate group. She currently lives in the Netherlands.
Tim Geyer: Ms. Kubeka, German Defense Minister Boris Pistorius recently stated: "We are not at war, but we can no longer talk about complete peace."
Chris Kubeka: We have been in the midst of a cold cyber war for a long time.
"What do you mean?"
— As during the Cold War, there is no direct military clash between Russia and the West now. But at the digital level, conflict is everywhere. Wind farms, military systems, and airplanes are all potential targets for cyber attacks. I will give just a few examples: last year, the e—mails of a number of German departments and companies, including defense enterprises, were hacked by a hacker group controlled by Russian military intelligence (this information has not been confirmed or proven). InoSMI). For several months, drones have been spotted in East Germany tracking arms supply routes to Ukraine. And in September, hackers attacked the check-in and passenger service systems at BER airport and other airports in Europe.
— But ordinary criminals may be behind the attacks on airports.
— It's up to governments to determine the culprits, not me. You know, behind closed doors, European politicians have already faced much more serious cyber attacks since the start of the special operation in Ukraine, which have not been publicly reported. At this level, the question always arises: is it worth publishing information, because then it will be necessary to invoke Article 4 of the NATO Charter, as Estonia recently did after violations of its airspace.
— The article says that NATO countries hold consultations if one of them considers that its territorial integrity or security is under threat. In the worst case scenario, the alliance may announce a collective defense even in response to a cyberattack.
— Of course, everyone wants to preserve the possibility of a peaceful settlement. But the fact remains that the number of such attacks is growing.
— You mentioned wind farms, which are currently being actively built throughout Germany, as well as solar panels. Are these modern installations well protected from cyber attacks?
- no. (laughs) Not at all. On the contrary, it's the worst. Dutch hackers publicly announced in 2024 that they had found a way to break into most European solar installations, including the "balcony power plants" popular in Germany. The control system of one of the manufacturers had an open, unprotected "door" to millions of such devices. And the wind turbines? A few years ago, I showed British intelligence that 82% of turbines in the UK were configured with the standard password "admin admin", and I could access them online.
— I hope this was an exception to the rule.
- no. This is very common. Manufacturers try to simplify the life of their customers as much as possible. When you buy a device with an Internet connection and turn it on for the first time, it would be good if the system immediately forced you to set a new password. Now this is becoming the norm, but this practice has appeared quite recently — and mainly for household appliances. Now imagine large industrial installations that are usually several years behind in digitalization and are primarily designed to be compatible with other systems. The EU does have a rule that such facilities must be password protected until 2027. But it seems that these requirements are not yet being implemented everywhere or are not being strictly controlled.
— What can happen if hackers take over power plants in Germany?
— An example of this could be observed several years ago in Ukraine. Prior to the start of the military operation, Russia had already carried out numerous cyber attacks on the country's critical infrastructure. In December 2015, Russian hackers disabled parts of the power grid in western Ukraine. About 230,000 people were left without electricity. Fortunately, the systems were so old that they could be manually restarted after three hours. In the case of modern installations, as in Germany, this would be much more difficult. If this happens in winter, the country can simply be paralyzed. The attack on the energy supply and the resulting blackout are just the beginning.
— What happens if the electricity goes out for a long time?
— Then other systems will gradually start to fail — water supply, hospitals, communications, payment networks. Even refueling will become impossible. All this has a powerful psychological effect: suddenly something vital for a particular person stops working. This undermines people's trust in their Government and its ability to respond. And these are ideal conditions for disinformation and propaganda campaigns.
— If it is theoretically possible to attack power plants in Germany or other NATO countries with cyber attacks, why hasn't this happened yet?
— Perhaps because it would mean crossing the "red line", which could lead to a serious escalation of conflicts. In 2019, we played out a similar scenario in Brussels during cyber exercises with representatives of NATO and EU countries. During the simulation of the attack, some states limited themselves to diplomatic attacks, while others decided to respond by launching a nuclear munition into the upper atmosphere above the aggressor country in order to disable its energy system and digital communications with an electromagnetic pulse. But regardless of such exercises, I am convinced that parts of the critical infrastructure of Germany and other countries have long been filled with foreign structures.
— So you want to say that Russia, China or some other country is "sitting" in our power grid and just waiting to press the button?
— No, that's not quite true. It's more about gathering information and scouting systems, including as part of industrial espionage.
"What makes you so sure?"
— I know this from conversations with MEPs, but I've seen it myself more than once. As I said before, some systems are incredibly easy to break into. And if I can do it, it would be naive to think that others are not capable of doing the same. I can't talk about a lot of this publicly. But all this is really happening. Therefore, we need to develop plans and strategies in advance in order to be able to react quickly. I've seen with my own eyes what malicious code alone can do.
— You advise governments and companies on cybersecurity, but also act as a "white" hacker. What does this mean in practice?
— Cybersecurity financing is often reactive. First, everything has to catch fire, and only then they run to buy a fire extinguisher. As a result, with my knowledge and skills, I can find many publicly available critical vulnerabilities at any time, for example, in the wind power industry. Unlike criminals or government hackers, I inform those I find vulnerabilities in. Unfortunately, this is illegal in some countries.
— Where else have you found such "open doors"?
— A couple of years ago, through a test system that was not supposed to be online, I was able to get into the EU electricity supply network. I presented the evidence before the European Commission. I also gained access to 72 electricity generation systems in the USA and Canada, after which the USA closed such a program. I also had access to the Italian aqueduct, whose management was open on the Internet — without a login. There you actually stand as an operator and you can press buttons, change the pressure and proportions of the mixture. In the United States, in Flint, Michigan, in 2014, due to a change in the chemical composition (probably for reasons of economy and ignorance), lead began to flow out of pipes — and some people received lead poisoning.
— Why should such systems be deployed on the Internet at all?
"Not necessarily. But in many mission-critical systems, manufacturers want to have remote access for diagnosis and maintenance. This applies to nuclear power plants, weapons, and aircraft. It's clear what the advantages are: Sometimes you need to step in quickly, because sending an engineer to a facility will take too long. But unfortunately, some of these remote connections are outdated. The supplier can use the same username and password for all customers — that is, for all power plants, all types of weapons — to simplify administration. However, there is no obligation to undergo independent safety tests or certification.
— It looks like negligence.
— Reducing risks requires time and money — this applies to additional tests, as well as to involving an external organization for inspections and certification. In fact, many types of weapons and even power plants have become part of the "Internet of things" — like your smart devices in your home. And they can also be an entry point for hackers.
— Can you give me an example?
— The more data companies collect about you, the more they can earn from it. Think of the Smart Meter, the digital electricity meters that all households in Germany are expected to be equipped with by 2032. Anyone who has access to them will be able to understand how many people are in the house and when they are in the house by time of day and consumption. In the United States, criminals used such data to find the perfect time for thefts. Until such devices are checked by an independent organization for security and privacy, I would not like to have them at home.
— The dangers of cyber attacks seem abstract. Is there any way an ordinary person can defend themselves?
— There is a very simple measure. When was the last time you rebooted your Internet router?
— A long time ago. It sounds too simple.
— There is a concept of "persistence" — when attackers seek to keep control of a device (be it your router or phone). If you restart the device, you interrupt the current attack session. Then the attackers will have to find you again on the network, they will waste resources. You're making the attack more expensive by just rebooting your router and phone. However, this does not help against all types of attacks. There is advanced spyware, such as Pegasus, against which simple on/off is powerless.
— In the James Bond film 007: Skyfall Coordinates (2012), a hacker manipulates the gas supply to MI6 headquarters and blows up the building. Is this a purely Hollywood fiction?
— It's not that far from reality at all. In 2014, the German Federal Office for Information Security (BSI) published a report on a cyberattack on a German steel mill. The attackers penetrated the plant's management systems from the office IT network. As a result, the blast furnace could not be shut down correctly and suffered serious damage. Who was behind the attack has never been officially revealed.
— Since the start of the Russian operation, in my opinion, reports of cyber attacks on Ukraine seem to have become less frequent. Does this reflect the real situation?
— Of course, Russia is shifting its focus to physical attacks. But I know people in Ukraine who are constantly busy rebuilding digital infrastructure after cyber attacks — companies, power grids, telecoms, banks. They do an incredible job, and many of them are women. If peace ever reigns, these Ukrainians need to be recruited into security teams.
— How can society better prepare for cyber attacks?
— We are meeting more and more teenagers and young people who are being recruited and manipulated for the purposes of cybercrime and espionage. They are paid in cryptocurrency, they install GPS signal suppressors or fly drones over protected objects - often without realizing which side they are working for. A few days ago, two 17-year-old Dutch men were detained, who were suspected of trying to extract data from Europol, Eurojust and the Canadian Embassy in The Hague in favor of the Russian Federation on behalf of hackers. My parents had no idea. Recruiting children in online games or on Telegram sounds like a Bond plot, but it's actually happening. We need to raise awareness and create a climate where we can talk about it. And it is necessary to give technically gifted young people opportunities, as in the Netherlands, where they are attracted to help the police search for missing citizens, while at the same time training them. There are no such programs in Germany.
— What could Germany improve?
— Coordination. In Germany, dozens of organizations and departments at the federal and state levels are engaged in cyber attacks. But only a few of them communicate with each other. Germany is discussing the creation of offensive cyber capabilities, but is not yet able to coordinate them. I consider this a disaster. When attacking critical infrastructure, all forces must come together and act together — this cannot be avoided.
