![](\"http:\/\/pixel.nymag.com\/imgs\/daily\/intelligencer\/2016\/06\/10\/magazine\/16-feature-thebighack.jpg\")
<\/p>\n<\/p>\n
A scenario that could happen based on what already has.<\/strong><\/p>\n <\/p>\n On December 4, 2017,<\/b>\u00a0at a little before nine in the morning, an executive at Goldman Sachs was swiping through the day\u2019s market report in the backseat of a hired SUV heading south on the West Side Highway when his car suddenly swerved to the left, throwing him against the window and pinning a sedan and its driver against the concrete median. A taxi ran into the SUV\u2019s rear fender and spun into the next lane, forcing a school-bus driver to slam on his brakes. Within minutes, nothing was moving from the\u00a0Intrepid<\/a><\/i>\u00a0to the\u00a0Whitney<\/a>. When the Goldman exec came to, his driver swore that the crash hadn\u2019t been his fault: The car had done it.1<\/span><\/p>\n Moments later, on the George Washington Bridge, an SUV veered in front of an 18-wheeler, causing it to jackknife across all four lanes and block traffic heading into the city. The crashes were not a coincidence. Within minutes, there were pileups on 51st Street, the southbound BQE, as far north as the Merritt Parkway, and inside the Midtown Tunnel. By nine, Canal Street was paralyzed, as was the corner of 23rd and Broadway, and every tentacle of what used to be called the Triborough Bridge. At the center of each accident was an SUV of the same make and model, but as the calls came in to the city\u2019s 911 centers in the Bronx and Brooklyn, the operators simply chalked them up to Monday-morning road rage. No one had yet realized that New York City had just been hit by a cyberattack \u2014 or that, with the city\u2019s water system, mass transportation, banks, emergency services, and pretty much everything else now wired together in the name of technological progress, the worst was yet to come.2<\/span><\/p>\n The fictional account imagined here is based on dozens of conversations with cybersecurity experts, hackers, government officials, and more. An attack of such scope is unlikely, but each component is inspired by events that can, and in most cases have, happened.<\/p>\n<\/header>\n 2.\u00a0Homeland Security<\/a>recently estimated that one major cyberattack \u2014 the NSA chief has said it\u2019s a matter of \u201cwhen, not if\u201d \u2014 could cost $50 billion and cause 2,500 fatalities.<\/p>\n<\/div>\n<\/section>\n A third-year resident in the emergency room at Columbia University Medical Center in Washington Heights walked through the hospital as a television was airing images from the accident on the George Washington Bridge; that meant several crash victims would soon be heading her way. When she got to her computer, she tried logging into the network to check on the patients who were already there, but she was greeted with an error message that read WE\u2019RE NOT LOOKING FOR BITCOIN THIS TIME.<\/p>\n Columbia, like major institutions across the country, had spent the past few years fighting so-called\u00a0ransomware attacks<\/a>, in which hackers locked a hospital or city hall or police department out of its own network until a ransom was paid.3<\/span> Hospital security teams had gotten wise to the problem, but every network\u2019s defenses had the same vulnerability: the people who used it.4<\/span> For weeks, a group of hackers had been sending LinkedIn messages to employees at Columbia pretending to be recruiters from Mount Sinai. When an employee opened an attachment featuring the recruiting pitch \u2014 as ten of them did \u2014 and enabled the macros as prompted onscreen \u2014 four of them did \u2014 they unknowingly unleashed malware onto their computer and gave the hackers a beachhead. After months of lurking5<\/span>, the hackers blocked Columbia\u2019s doctors and nurses from accessing their network, including patient files. Doctors couldn\u2019t access prescription records telling them which patients were scheduled to take which drugs when and resorted to improvised paper-record keeping6<\/span>, which many of the younger doctors had never done before. In nearly every corridor, they were consulting with one another in a panic, asking how much of their own expertise was really stored in the cloud and had just disappeared.<\/p>\n 3. In February, a hospital in L.A. paid 40 bitcoins<\/a>, or about $17,000, to get back into its system. Russian hackers have even set up English-language call centers to explain to victims how to acquire and send bitcoins.<\/p>\n<\/div>\n 4. Hackers recently sent Pennsylvania drivers fake traffic tickets<\/a> with malware, using GPS data so the tickets seemed to be from red-light cameras on their route home.<\/p>\n<\/div>\n 5. The average data breach is only identified five months later; hackers were allegedly inside a Ukrainian utility network for six months before shutting off electricity.<\/p>\n<\/div>\n 6. In March, a D.C.-area hospital system was hacked and forced to keep paper records<\/a>. They got so overwhelmed they turned away cancer patients with radiation appointments.<\/p>\n<\/div>\n<\/section>\n The crowd in the waiting room swelled and grew more tense as nurses ran by patients, unable to give updates on when they might be seen. Various procedures were taking longer than they should have \u2014 one man was kept on a powerful antibiotic for several hours, with serious side effects, before a delayed lab result came back reporting that he should go off the medication \u2014 and the staff was having trouble keeping track of patients. A little before noon, a man walked into the hospital looking for his wife, whom he had dropped off early that morning for a simple surgical procedure. A few minutes later, the nurse told him that it appeared his wife had been discharged.<\/p>\n Most New Yorkers were proceeding with their day unaware. But the city\u2019s head of cybersecurity7<\/span> had begun to connect the dots: Six hospitals had already informed him that their systems had been shut down, and the city had sent out warnings to all the others. One Police Plaza had just reported that it, too, was locked out of the programs it used to dispatch officers and emergency personnel8<\/span>, which made responding to the traffic accidents around the city that much harder.<\/p>\n 7. New York\u2019s first head of cybersecurity started the job earlier this year.<\/p>\n<\/div>\n 8. In April, Newark\u2019s police<\/a>were locked out of their computer system for three days.<\/p>\n<\/div>\n<\/section>\n After a few phone calls to friends in the private sector, the cybersecurity chief got more nervous. At the beginning of 2017, one friend told him, she had been called to investigate a mysterious occurrence at a water-treatment plant: The valves that controlled the amount of chlorine released into the water had been opening and closing with unexplained irregularity9<\/span>. An alarm had gone off, so none of the tainted water had reached consumers, and the company\u2019s CEO brushed off the consultant\u2019s request to make the news public so others could prepare for similar attacks.<\/p>\n 9. Investigators recently reported a similar incident at an undisclosed water company.<\/p>\n<\/div>\n<\/section>\n At MetroTech, New York\u2019s cybersecurity chief pulled out the Office of Emergency Management\u2019s 42-page booklet on how the city should react to a cyberattack \u2014 a copy of which he had printed out and stashed in his desk drawer in case his department\u2019s own network was compromised \u2014 and was flipping from page to page when he got a call from a reporter.<\/i><\/p>\n At 12:30 p.m., the\u00a0Times<\/i>\u00a0published a story reporting that \u201cgovernment officials\u201d believed that the city was being hit with a wave of cyberattacks that appeared to be ongoing. A tipster claimed the hackers had caused at least a dozen car crashes and debilitated multiple hospitals and agencies \u2014 with more to come. If they could crash a car, could they crash a subway? The\u00a0Times<\/i>\u00a0report included a line from a nurse at New York\u2013Presbyterian who said that the initial message announcing that the network was blocked had included a link to a web page that was displaying a timer ticking down to 1 p.m. and text that read MORE PATIENTS WILL BE ARRIVING SOON.<\/p>\n The group of\u00a0<\/b>10<\/span> European black-hat hackers11<\/span> who launched the attack against New York had spent much of the previous decade breaking into American corporate networks \u2014 credit-card companies, hospitals, big-box retailers \u2014 mostly for profit,12<\/span>and sometimes just because they could. When those attacks became routine, the group moved into more politically inclined hacks, both against13<\/span> and on behalf14<\/span> of various governments,rigging elections15<\/span> and fomenting dissent. In the summer of 2016, the hackers received an anonymous offer of $100 million to perform a cyberattack that would debilitate a major American city. The group\u2019s members weren\u2019t much interested in death and destruction per se, so they declined their funder\u2019s request for a\u201cCyber 9\/11.\u201d16<\/span> But to self-identified anarchists with a reflexively nihilistic will to power, the proposition had some appeal. Causing disruption was something that had been on their minds recently, as their conversations veered toward the problems with global capitalism, the rise of technocentrism, bitcoin, and the hubris required to nominate a man like Donald Trump<\/a>. Their animus got more personal when American authorities arrested a well-respected white-hat hacker who had broken into an insulin pump in order to show the dangers of connecting devices17<\/span> without proper security. The black hats were on the opposite end of the ideological spectrum but had more empathy for their fellow hacker than they did for the American people, who, they felt, deserved a comeuppance \u2014 or at least a very loud \u201cFuck you.\u201d The plan was to show how much of modern life in a city like New York could be disrupted by purely digital means. The hackers would get paid, but they also hoped their attack would dent America\u2019s complacent faith in order and in the technology and political authority that undergirded it. As a bonus, their services would be in even greater demand.<\/p>\n 10. Hackers are often identified by the malware they use: One group is known as Sandworm, because references to the sci-fi series \u2018Dune,\u2019 which features giant desert worms, were embedded in its code.<\/p>\n<\/div>\n 11. The hacker world divides into white hats, who are the good guys, and black hats, who are out to cause havoc or for personal gain.<\/p>\n<\/div>\n 12. According to the FBI, those hit by cyberattacks\u00a0have paid<\/a> more than $200 million in ransoms so far this year, compared with just $25 million in all of 2015.<\/p>\n<\/div>\n 13. Earlier this year, Congress was the target of a string of ransomware attacks.<\/p>\n<\/div>\n 14. An Italian company called\u00a0Hacking Team<\/a> has been criticized for offering hacking services to dozens of countries, many with poor human-rights records.<\/p>\n<\/div>\n 15. Andr\u00e9s Sep\u00falveda, a Colombian hacker, recently told Bloomberg that he had helped rig elections in nine different Latin American countries, including by installing malware on campaign routers to spy on digital and phone communications.<\/p>\n<\/div>\n 16. Last year, a researcher claimed he had hacked into a plane\u2019s seat-back entertainment system and could then access the cockpit controls on a Boeing jet flying from Denver to Chicago. Boeing has said this is impossible.<\/p>\n<\/div>\n 17. In 2014, a company tracking medical devices at more than 60 hospitals found malware in every hospital. Last year, another researcher was able to manipulate several drug-infusion pumps so he could, potentially, deliver a fatal dosage of medication.<\/p>\n<\/div>\n<\/section>\n No one had pulled off an attack of this magnitude, but it was possible to piece together a plan from various hacks that had been executed before, which, taken together, were a sort of open-source blueprint available to anyone with an interest in remote-control terrorism (and the time and manpower it required). This group was small, relatively speaking, and benign, relatively speaking. ISIS, for instance, might have a more pronounced bloodlust but not (yet) the technical capabilities; Chinese or Russian hacking operations would have many more resources and a much more sophisticated strategy that could bring even more targets, like nuclear-power plants,18<\/span> into play.<\/p>\n 18. It took several years for hackers allegedly working for the U.S. and Israel to develop Stuxnet, a computer worm that disabled an Iranian nuclear reactor in 2010.<\/p>\n<\/div>\n<\/section>\n These hackers decided to start with cars. The team\u2019s members found a particular automaker\u2019s flagship SUV especially hackable,19<\/span> bought one to test their work (to help fund the operation, they had pulled from the millions they had made in several attacks against financial institutions, including a recent hack of theCentral Bank of Bolivia20<\/span>), and, within a month, could shut off the ignition, turn off the brakes, and cause the steering wheel to jerk to the left.<\/p>\n 19. In 2015, for an article in\u00a0Wired<\/em><\/a>, two hackers in St. Louis took control of a Jeep traveling 75 mph, sprayed wiper fluid so the driver couldn\u2019t see, then cut the transmission.<\/p>\n<\/div>\n 20. In February, hackers stole the credentials of several employees in the Bangladeshi Central Bankusing malware<\/a> that tracked keystrokes as the employees entered passwords and were then able to transfer $81 million into private accounts. (They might have stolen more had they not misspelled the word \u201cfoundation\u201d in one of the transfers, triggering an alarm.) The underlying system of financial transactions, known as SWIFT, has since come under scrutiny after similar attempted attacks at other banks.<\/p>\nTHE REAL HACKS<\/h3>\n
\n\n
\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n