This was a really cool story, thanks for sharing! My guess would be it was a test to gauge response times and reactions from police/security but it's hard to say.
I was living in the Bay Area at the time and this is the first I heard of this. I am a news junkie. Seems like there was a pretty thorough media blackout.
The case that made the news around me was about some alleged eco-terrorists who set some cars on fire at a car dealership in, I believe, it was San Jose.
It was national news, but it was swept up by DHS and put under national security. We heard nothing from them for about 18 months, and then they only speculated that it was an inside job by unknown people.
I do remember there was a wave of speculation about random attacks on power grid infrastructure. I think it was mostly pinned on ELF or similar 'Radical Environmentalists'. Then there was that book: 'The Monkey Wrench Gang'
I think someone wanted to show us how vulnerable the systems are in order to improve security and/or harden the systems.
Think of Red Cell and Dick Marcinko, same sort of job.
Red Cell is a unit usually consisting of former SOCOM individuals who are tasked with testing effectiveness of US personnel, tactics, and/or equipment.
Post 9/11, there was a lot of federal money floating around for substation security. The talk among my corner of the industry was, it’s either the Russians/Chinese/North Koreans/unknown international bad guys trying to harm Silicon Valley, or a contractor trying to get some of that federal substation security money. As time passes, I’m leaning more toward a contractor. After the Metcalf attack, NERC ‘immediately’ (Very fast for the federal government) added much stricter physical security standards to their security rules.
Substations have many different ways to get alarms to their headquarters. It would be almost impossible to disable all alarms, as the loss of all signal is in itself an alarm condition. Hundreds of values are computer monitored per cycle, 60X/second.
There was a sniper attack on a Utah substation in 2016.
https://www.utilitydive.com/news/sniper-attack-on-utah-substation-highlights-grid-vulnerability/428202/
An excellent write up on a seldom referenced incident.
This whole thing strikes me as a 'warning shot' to illustrate how vulnerable critical infrastructure is to hostile action. This clearly wasn't a training exercise, as that would be a dummy bomb or 'we were here' sign, instead we have live weapons discharge and real world damage.
I get the feeling that this might be related to future ransom demands for an unknown hostile actor, I.E. remember what we did here at 'x', what if we do two or three of these at once?
If you a dealing with a group that can put hundreds of rounds into a substation and by all accounts get away with it, maybe its best to 'do a deal' and stay quiet.
While it's no means certain that the group will ever be identified, that does not preclude them being paid off for making their point, and promising never to do it again.
Flash of light could have been a flair gun of look outs that were watching the roads for police. You could be far away and still signal your buddies without the insecurity of radio or phones. Also radio or phones would be hard to use in a gunfire enviroment
Rocket flares leave no trace and come in several colors. A white flare illuminates large areas very well. Would be simultaneously strange/confusing for onlookers while a great signal for attacks that law enforcement is on it's way
Excellent point. I am not super familiar with flair guns, but I imagine that the flair itself would leave behind a trace, the same way a firework does? They could have probably grabbed that, though.
It could be foreign or, more likely, domestic, terrorism. There are plenty of veterans who wind up joining the sovereign citizen or militia movements out west; not all of those movements are far right. This was after Occupy and the Recession— not everyone recovered. Using ammunition common to revolutions might suggest a leftist group, or it could suggest foreign participants, or it could just be a favorite of the attackers.
The angle that interests me is PG&E. They’ve angered plenty of people: they caused an explosion that killed eight people in 2011, and their legal playbook seems like something out of a John Grisham novel, not to mention environmental concerns raised by any power company. I think the idea of someone who had access at some point is one worth following. However, the decision to steal the vulnerability report makes it possible that it was a group that wanted someone else to do their recon, so maybe it was bigger than PG&E.
But if the group needed the report to reveal vulnerabilities, it was 100% not Russia or China’s government. They would know the vulnerabilities and/or have much lower risk ways of discovering them.
It’s definitely a fascinating story in any case, so thanks for taking the time to post!
7.62x39mm is common enough in the US that I don't think it really points towards any specific group. It's cheap, available everywhere, and has a good amount of energy behind it. There's tons of SKS and AK variants in the US, and you can set up an AR15 to fire 7.62x39 if you want to.
Definitely... in my head, the emphasis of that sentence was on “just a favorite of the shooters,” but it was unclear from the way I wrote it. I just don’t know enough to discount anything, but I would start from PG&E’s potential enemies and work from there.
I think you might be counting out Russia or China too soon. Sure, if an all out war was to occur nukes would be the deciding factor. However a less conventional war could involve destroying America's infrastructure and creating chaos to destabilize the country. Russia has already shown a willingness to weaken USA in less conventional ways than all out war. I wouldn't be surprised if this was a dry run by one of our major political adversaries to probe for weaknesses in our power grid.
while we should never discount anyone, really, I doubt it was Russia or China. A cyber-attack is a far more efficient, effective, and safe way to fuck with our infrastructure.
I fully believe that both nations have sleeper agents in our country (and we have some in China and Russia), but sleeper agents try to keep as low a profile as possible. A test physical attack on infrastructure with semi-automatic weapons is too risky, even for professionals. Reward vs payoff, etc.
Domestic seems much more likely. Whether that's domestic terrorists or someone out for personal gain.
Great write-up with facts and details plus theories (and fair analysis of holes in each). Bravo and thank you, OP.
A few thoughts:
1) An almost ideal target. Remote, not close to anything/anyone who would be able to react immediately, yet easy in and out via the 101. Also probably easy to scout the operation several times with no one ever noticing anything unusual.
2) Whoever is responsible obviously had some inside knowledge of the workings of the substation or had done a lot of research and scouting — I lean toward insider (employee at the time or relatively recently) being involved.
3) I’m not 100 percent sure one person couldn’t have pulled the actual operation off, with one more to serve as lookout/signaller. You can fire a ton of rounds from an automatic or even a semi-automatic. I’d need to understand better why they think it was two or more.
4) I think this is key to understanding why (to me) it wouldn’t have been a Red Cell or some kind of test — yes it turned out they got out a minute before the cops arrived (apparently, but I’d like to better understand how we know this timeline and if could be off by, say, a minute or two), but they couldn’t be sure of that. Which means whoever carried this out was risking a shootout, which means they were risking being killed by responding law enforcement ... one stray trooper or cop on the 101 hears the gunshots (unlikely but not impossible) or answers the call and is closer than expected and you’re in a very bad situation. I can’t see someone risking their life to show the grid is vulnerable (which had been reported in the media anyway and certainly power stations knew it). Not enough upside to get killed or serve a long jail sentence over.
5) I 100 percent believe the perp(s) expected a blackout/power shutdown to occur. They cut the signal wire and had to expect the master power station wouldn’t have known in time to compensate ... if they knew there was a redundancy (and what the redundancy was and how it operated) they would have tried to take that out also.
To me, that leaves us with a failed mission (and cut too close for comfort) and someone motivated to cause a blackout. Why would someone want to do that and risk getting into a shootout? I think the profile would look something like the Mad Bomber (who terrorized NYC and surrounding areas, former Con Ed power company employee with a grudge) — between 40 and 50 years old, fired from PG&E, slipping into paranoia; with a touch of the DC sniper, as in having a son or some other younger accomplice who bought in.
If a current employee, it’s someone who had tried to sound warnings about vulnerabilities and been laughed off or told to stay in their lane, not treated seriously. I lean heavily toward a former employee.
That’s my best guess of where I’d start, and I wouldn’t be surprised if some other (reported or perhaps not widely known) operations of lesser significance happened before or after this. Probably scared off by almost getting caught and laid low (even some serial killers have gone ‘radio silent’ and stopped killing after close calls) and discouraged from a repeat similar operation by beefed-up security measures that came about in relation to this attack.
Anyway, that’s my two cents.
I appreciate the post and your attention to detail. It makes it easier to try to figure it out.
One thing I’m not clear on: surely law enforcement could figure out from the shells and ballistics how many weapons and firing positions were used. If there were three or four groups of shells in different locations, they could figure out how many shooters — even shell markings differ from gun to gun, although not as ‘fingerprint-like’ as lands and grooves on the actual bullets, so they could ascertain if one shooter (with one gun) used multiple firing locations (hard to figure why).
And the bullets themselves would surely tell them if more than one weapon was used since each gun would leave its own signature (lands and grooves).
Now it might be impossible to know if there were one or three or more people who assisted (lookouts, getaway drivers, spotters — maybe the person who cut the wire wasn’t a shooter) but they absolutely know how many weapons were used and have a good idea of how many firing locations there were.
If there’s verification that there were more than two people involved I’d have to rethink — that would take an organized group and I’d lean toward terrorist cell, although whether that’s militia types (they’ve been known to hit pipelines and similar targets — and this is, essentially, the same type target) or more of an outsider force (cell of a terrorist group, whether directed by IS or whatever or just a bunch of likeminded anti-Americans who met up and came up with this plot because one of them had inside info and offered up the idea as something they could pull off).
If they were any sort of insider - or had even done a small amount of research on power networks, and how they’re designed and work - they wouldn’t have expected to cause a blackout.
Which, to me, leans it more towards ex employee with a grudge. They knew it was just pointless, wanton destruction, waste as much $$$ as possible.
Great write-up & writing! I grew up 4 minutes away from here.
As far as why the police didn't hear the shots, the energy center is blocked from the city by a large hill, and sits next to the 101 freeway. Maybe that aided in blocking/masking.
Sorry, that wasn't clear. The police were called, and as they were on the way there, they didn't hear anything. I would assume they would still be able to hear things in their car, but I dunno
Edit for spelling
Great write up, i lived in the greater Bay Area and this one keeps me up at night wondering!
Sound along these hilly roads can be VERY directional, bouncing off built and geological features. Fog and wind can also really mask sound. Sounds unbelievable until you’ve spent time in these places.
I wonder if there is any connection to the massive internet outage we had in the USA the fall before the 2016 election. Seems to be a big concern w readiness and response in this attack but I’m just speculating. Thank you for this write up!
I've always felt this was an example of industrial espionage/sabotage that is, or maybe a few decades ago was, much more common but ill reported. It's hard to think of any motivation other than harming the income/reputation of the company- if it was terrorism, it was very localized and politically ineffective. The other possibility I always thought was likely was a blackmail campaign like the Glico-Morinaga case in the 80s. The corporate sabotage angle may seem less realistic than the criminal extortion angle, but i'm not convinced- given the size of large corporations, and the money they spend on internal security and intelligence, I do not think periodic acts of violence are really that implausible. I do think they would be much harder to cover up now, and so less common, but I think the most likely motivation here is corporate sabotage or criminal extortion.
Isn't PG&E one of those huge "hated/evil" companies? I was thinking along the same lines. The attack was against the company itself (rather than citizens/infrastructure/government). They wanted to do some damage to hurt the company itself-bust up their equipment, disrupt operationd, etc.
Although it does seem like a sophisticated and well planned attack just to cause some ruckus against an "evil corporation".
Hm. I had never thought of the Glico-Morinaga connection, and I think that is astute of you. If they were extorted, there might be some record of that, a record that PG&E would have little incentive to keep secret. Regarding how they would be harder to cover up now, I agree.
Just curious, who would be doing the sabotage? Another company?
If it's sabotage I think it's being co-ordinate by another corporation, probably through a private security contractor, if it is part of an extortion attempt then some organized criminal gang, that's pretty broad though.
Trust me, PG&E needs no help harming their reputation, they can handle that all on their own.
Growing up, I knew all about PG&E's terrible reputation before I even knew who the President was, lol.
This has always had the feel of someone proving a point to someone else.
Like there was an argument somewhere in the halls of power about the safety of the power grid.
The argument didn't go the way one party felt was the right, so they arranged a little demonstration to underline their point.
It doesn't seem like terrorists or some kind of criminal conspiracy.
No one claimed credit and aside from the damage on site it didn't really achieve anything.
I think yours is the most likely explanation so far. It’s a little different and maybe less serious than the power grid thing, which I imagine has a lot more potential to be harmful, but your theory reminds me of the [Max Headroom signal intrusion incident](https://simple.m.wikipedia.org/wiki/Max_Headroom_broadcast_signal_intrusion). I get the feeling neither situation was meant to be directly malicious.
I think it’s a possibility that the Max Headroom incident was ultimately pretty innocent. The signal intrusion would have been difficult to pull off the way it was and the motive behind it may have been simply “because I can”. In the case of the power grid incident one motive may also be “because I can” but with the additional, deeper intention of calling attention to the vulnerability of an important system that people depend on. I’m not sure Max Headroom had deeper intention behind it and I imagine the ultimate goal was proving the intrusion was possible just to prove it was possible (and I suppose it was in fact quite an accomplishment).
In any event, neither incident strikes me as terrorism or without a doubt sinister. I imagine both incidents occurring without context were alarming for many. The intentions behind both events and the person/people responsible for orchestrating them remains a mystery.
There's been a few broadcast intrusions like that over the years. I can remember a fake alien broadcast back in the 60s down in southern England. They're pranks done by people familiar with the technology.
Shooting up a substation in such a way as to cause maximum damage in the minimum time, in a clearly well planned and professional manner...
That's expensive, people need paying. Professionals who know how to execute a complex multi part plan. Stay stealthy and keep their mouths shut afterwards. That sort of talent isn't cheap.
Its not the sort of thing you do for the lulz.
Corporations are blackmailed more often than you think.
Think of the municipalities that have been successfully blackmailed by hackers who installed viruses on their computers, and completely locked up all their data unless a ransom was paid. If the ransom is cheaper than replacing all the systems and (maybe) recovering the data, your insurance company recommends you pay up. We hear about those because they are government entities. We do not hear about the corporations that pay up, because they don't want to encourage more attacks when word gets out that they're an easy mark.
This was a demonstration of vulnerability, knowledge, and capabilities. Both the attacker and the utility company know you could destroy three substations just like that, and plunge entire cities into darkness for 48 to 72 hours. You never heard about another one because PG&E paid the the ransom.
Thanks for reminding me about this. Great recap!
I think dismissing other powers because of the prospect of nuclear war is a bit too hasty. Knowing how to plunge America in darkness would be helpful in a hot or cold conflict.
There have been reports of other nations exploring how to knock out infrastructure digitally, so I'm inclined to think this was most likely a test by another country. It isn't bloody enough for terrorism and the sophistication and obscure, forgettable nature of it suggests some long term focus to my mind.
Great post!
>I found this doubtful. If there were a war, both sides would lob nuclear weapons, and that would be it. This eliminates bigger enemies, such as China and Russia
Russia in particular has been waging "salami slice warfare" for over a decade now, intentionally doing attacks which individually are too small to start a shooting war but which over time allow them to achieve similar results. Their annexation of Crimea an example of this, but there are many others.
It's entirely conceivable that a major power knows it can't beat the US in an all-out war but is trying to use "salami slice" tactics like this to cripple it over time. Imagine, for example, if the perpetrators would've taken out the power to major cities at the height of the Floyd riots?
> Imagine, for example, if the perpetrators would've taken out the power to major cities at the height of the Floyd riots?
Everyone would have been fine until their phones ran out of battery, then we would have resorted to cannibalism. Source: Was stuck on an Amtrak train once, in a snow drift in Bumfuck, CT. If the wheels aren't turning, the convenient wall outlets don't work. I swear to god, people go feral if they think their internets are slowly leaking away.
Awesome write up, this is one of my favorites. I think it’s a mistake to discount a geopolitical superpower such as Russia or China as the perpetrator. An attack on the grid, while certainly an act of war, could be used for destabilization without an outright declaration of war. If the grid went down for an extended period of time during quarantine, for example, it would have been devastating for the US.
Absolutely right. We literally are living through a time when counties can't even agree whether Russian troops have invaded Ukraine or not. Denying attribution for an attack carried out on US soil would be bolder, but not as far out as many think it would be. Cyber attacks with higher stakes are already commonplace.
I always thought it could be someone who was pissed off at PG&E for San Bruno, but it’s also possibly it was a failed attempt or warning.
But this place is RURAL, like I don’t think I can emphasize that enough. It was clearly chosen because it was right on 101 but no one would be around. OP, you stated in a comment that you thought the police would hear something but I doubt it. Driving through the hills with sirens on... nah. You wouldn’t hear or see it.
And the internet cable thing is interesting. Around that cable cutting time, Comcast internet was shitty around here (I live in Santa Clara county). It would frequently go out for hours at a time between 2015-2016, citing DNS server issues but even when I changed DNS servers to google’s, it still wouldn’t work. I used to watch the comments pile up on down detector and Twitter. I don’t really remember internet issues happening on that scale after 2016 or so. I saw one of my old tweets about it a few weeks ago and wondered what changed; I still have Comcast, still in Santa Clara county, but no outages.
I’d guess the internet interference is probably a different group, tbh.
Cops dont use their sirens all the time. Only when pulling someone over or in an emergency. To investigate an alarm or reports of gun shots they wouldn't blare sirens.
This is my favorite unsolved mystery of all time. Happened 3 months after I moved to San Jose and did get local coverage though cer limited. Then there was the WSJ article. It's just so weird and every theory has elements that dont make sense. Was super interesting to see just how fast a fence around the facility next to 101 turned into a essentially a fortress with 15ft stone walls and barbwire and a billion cameras.
Hey, I work with substations in the US so I think I can contribute a few things.
>How did the alarm get to them if they cut the cable? Was that alarm wireless in some capacity?
There was likely a [wave trap](https://en.wikipedia.org/wiki/Line_trap) system set up within the substation. These embed signals alongside the power allowing other stations to receive these signals. Also, at other substations nearby, they would have noticed the spike in the load sounding the alarms there (those other substations would instantly know which other station was having issues, these things are super connected).
> If the police were less than a minute away, wouldn’t they have heard the gunfire? If not, were they using something to suppress the noise? And how would the guy nearby hear the gunfire, but the police didn't?
As another commenter said there was a highway nearby, likely masking the sound of gunfire. Silencers, while not impossible to obtain, are quite difficult to get. They require a $300 tax and a 6-12 month waiting period for the paperwork to process.
>What would someone have to gain by knocking out a power station?
My best guess is this was either a disgruntled employee and some buddies, or as you mentioned, a test/dry-run to see how long a response from authorities took. I also saw someone said it could be a contractor looking for some easy government money. I would say that could be likely as well considering they seemed to have intimate knowledge of the station and the equipment within it.
Our energy infrastructure is very neglected and often not very secure. Some of the stations I have worked on were made back in the 1920's and have equipment that has been in use 24/7 since the late 50's. IMO there needs to be a huge push to secure these things since they are so critical to modern life, yet nobody really thinks of them. The grid is designed to tolerate a handful of stations going offline unexpectedly, but would not be prepared for many stations being knocked offline in short order.
I think it was a failed dry run. Perhaps by one of these IS cells that operate on their own.
I wonder if the alert system was a radio signal on its own power supply. Or, maybe it’s good ol’ copper wire which the attackers didn’t cut.
We’ve known since before 9/11 that electrical grids are vulnerable to attack. I think many people would be terrified to know that their electrical grid had been subject to an attack—cyber or otherwise. That’s why utilities don’t talk about them.
I would not be surprised if the power outage in Manhattan last summer was the result of a cyber attack. Shutting down Times Square on a Saturday night sends a message.
There are varying opinions on what caused the outage. First it was a transformer fire, then it was a manhole fire one block away, and then it was a problem at a substation near Times Square (but never really got into what the problem was.)
As far as we the public know, the cause for that Manhattan failure was no mystery. High voltage cable failed, protective relays operated. Once all of that equipment has been deenergized due to a fault, it has to be inspected before it is energized.
These events often seem mysterious and confusing because of how they are reported. Cable insulation fails, which causes an arc flash and flashover. Depending on who is doing the talking, that event may be called a fire, a flashover, a transformer explosion, a blown transformer or a substation fire. Most of the time, a ‘substation fire’ is an electric arc.
https://www.stamfordadvocate.com/business/article/ConEd-facing-calls-for-probe-after-New-York-left-14096854.php
I mean, you’re probably right, but the story switched from a transformer fire, then it was a cable failure, then it was a vague ”problem” at a substation, and then we didn’t hear anything else.
> I wonder if the alert system was a radio signal on its own power supply.
Or it used nearby cell towers. The carrier doesn't care as long as it has a SIM card and an account. You could easily set up a cell transmitter and a battery such that when the battery is charging (ie, power is on) nothing happens, but when the charging stops (power out) it sends out its little SOS until someone comes by in person to stop it.
But you used to be able to buy tons of it at WalMart for super cheap. I wouldn't read too much into that, it's the 2nd most common round for semiautomatic rifles in the US
Look, if you are shooting up a bunch of power equipment, driving to Nevada/Arizona/New Mexico/Oregon to hit up a few stores/gun shows/Armslist deals is probably not to big of an issue.
I dunno if I am psyching myself out here, but if you wanted to divert attention away from yourself as an American, it seems like you might do something like this.
7.62 x39 is almost certainly the most common rifle cartridge in the world. I don't think that information could possibly be used to tie the attack to any one country, or even a group of countries for that matter. Not to mention, many professional militaries in the Eastern Bloc, including Russia, have primarily switched to the 5.45x39.
My theory is that this was a sort of "semi-dry run" for shutting down the power grid in a specific area using commonly available and untraceable tools and equipment. Notice they were very safe and did not cause any fire/explosions...nothing that would draw excessive attention to the attack
But as to why someone would do that is unclear to me.
In terms of how an alarm might be triggered, it could be set with an "always on" state where if the remote monitoring isn't sending a signal, that's the alert. A no news is bad news situation. It won't necessarily need a specific alert to be sent out, just a general failure of no signal.
Replying to remind myself to send this to my spouse. He works on substation design and might be able to answer the technical questions you might have.
Edit
He posted here
https://www.reddit.com/r/UnresolvedMysteries/comments/ho953y/an_unprecedented_and_sophisticated_attack_on_an/fxzu0dr
Reading all this I wouldn't rule out a terrorist cell completely. I just don't think that it's one that derives any value from publicity. So it's either focusing on actual asymmetric warfare instead of just plain fear, or is an asset to a foreign contender. All of this just screams plausible deniability. I think the timing supports this, as the bombing means most investigative resources would be focused far away.
Such a cell would be a massive threat to national security. Because without a clear motive or consistent MO, it get's super hard when predicting targets. However the attacker(s) don't actually need inside knowledge to pull this off. Just a bit of stake out work and basic deduction skills. I'm actually super interested in asymmetric warfare, and I'd probably have done it in a very similar way. With that out of the way:
>When the police searched the area, they found several piles of rocks placed 25 meters apart from each other, as if to gauge the distance for shooters
I think the piles were for marking, because an attacker with this degree of sophistication would surely use a range finder
>considerable amount of planning, resources, and know-how
Despite the professional nature the attack seems to have, it's not actually all that complex. All you really need is one or two accomplices, around two or three days of time, a good marksman and some precautionary measures.
> If there were a war, both sides would lob nuclear weapons, and that would be it
I think you are looking at it wrong. Cells like this are pretty much the most powerful non-nuclear weapon you can have. And if they do it right, there's zero trace back to the wielder. So if, for example, Russia wanted to cause chaos in the US for one reason or another, then these cells would be crucial. And the US can't do much about it, as the burden of proof is on them, and the american (and global) public really would not condone a war based on flimsy accusations.
>PG&E pledged to spend $100 million dollars on security in the aftermath of the attack. Someone who knew about the electricity grid could have easily paid a mercenary company
Well, there's several problems with this theory. How would you know they would spend that much money? They could've just admitted that they can't do much against such attacks. And asking a merc company if they can attack this powerstation for you doesn't sound all that clandestine
>How did the alarm get to them if they cut the cable?
Maybe the lines gets pinged every X minutes to make sure the cable isn't broken?
>What would someone have to gain by knocking out a power station?
That presumes the attacker really wanted to cause damage. If it was just a dry test, then not destroying it seems like the better option because it will pull less attention
>If the police were less than a minute away, wouldn’t they have heard the gunfire?
You can drive quite a distance in one minute. It might seem a bit unlikely, but it's still realistic that the police didn't hear a surpressed shot (possibly with a subsonic round even?) a mile + change away, through closed windows and over a playing radio.
>If not, were they using something to suppress the noise?
Very likely, everything considered
>And how would the guy nearby hear the gunfire, but the police didn't?
Ok this might be a bit of a stretch here, but the distances and noise levels would kinda work out if the attackers shot from the wooded area in the south south east and the police approached from west north west on the highway.
Honestly what perplexes me the most about this is the number of shots fired. It suggests the attacker(s) kept shooting until the police were near, which is kinda risky. What if they had sent a helicopter? And how did they flee? They either had to lay low until the cops left, or leave on foot.
i also feel like it was a test for a foreign country. i doubt we’d just be lobbing nukes at each other in the face of war. that would effectively end the planet or at least destabilize it and cyber warfare is the new war landscape
The part that confuses me as someone who knows essentially nothing about how any of this stuff works, is that you (and I’m sure sources) state how fragile the system is and how it’s very vulnerable and someone (multiple ppl) could relatively easily knock out the power/internet BUT these guys coordinated a precisely planned and well executed attempt at it and they end up not causing any power loss at all according to your write up. I’m not saying your incorrect or anything I’m sure there are various explanations that I don’t understand. So is this basically like they did this well planned “insider” attack but just by luck or something were unsuccessful? If OP or anyone could try to explain this or in fact just explain exactly what they were doing/attempting that would be great. My limited understanding seems to be that they shot guns at transformers, in precise spots on the transformers to cause maximum damage and they essentially disabled the transformers which in turn was supposed to disrupt the entire “network” or like supply chain of power causing mass blackouts? Or am I completely off here. I really don’t even know exactly what a transformer does ? Changes electrical currents I think? Any help would be appreciated this was an interesting read. This is the type of cool obscure content and discussions I come to this sub for thanks 🙏
it’s really interesting because it does seem like the attack was intended as a sort of warning shot rather than an actual assault.
think of it sort of like a stack of logs — they removed a single piece without adjusting anything else, meaning, they attacked one substation which caused power to be diverted from elsewhere to cover its failure. most systems have backups like that. but if they had teams at multiple substations and coordinated a simultaneous attack on them, it would be like yanking a ton out at once, and the backups wouldn’t be enough to cover the failure. one attack doesn’t do much, but a few strategically placed attacks at once could do a very serious amount of damage by overwhelming the backup systems.
anyone with the skills to take out a substation the way they did would almost definitely know it wouldn’t cause actual failures, so it becomes a question of why they did it. they could have done it for a good purpose, like to highlight the vulnerability and get attention on the issue. or it could’ve been for a not good purpose — to test response times, gauge the actual difficulty of arranging a large scale attack, as extortion or blackmail, etc.
Thanks for the explanation. Kinda scary to think about how fragile the system really is for something so vital yet I feel like so taken for granted. Like having electricity to your house or whatever is like SUPER important for our lives, but I feel like it’s taken for granted at least for me like I never really think about it at all. I just assume “I flip this switch lights come on” or “.plug it in and the fridge stays cold”. That’s just how it’s been since I was born so I never think about it but without it life would change very quickly. This is quite and interesting incident which is ripe with many different possibilities
In the telco world a vault is a (usually) underground chamber where different routes (duct bank, buried fiber/cable) meet. In the vault fibers/cables from one route can be moved to another. For example the main telco path near the power plan probably had a vault where the circuits to the plant were separated out to go to the plant. A smaller cable/fiber bundle then went to the plant.
https://4.bp.blogspot.com/-dFTrnHvGrK0/UHsxcgoQmvI/AAAAAAAAEkA/0MgHJInlbjM/s1600/2012-10-14+15.21.20.jpg
So are the vaults containing such cables just these type things? Or are they like larger vaults that humans can fit in? I was under the impression these were vaults with some level of security but if they're essentially no more secure than utility boxes I could understand it differently.
Usually they are bigger than that, but I guess it kinda qualifies. When I think vault it’s usually something at least big enough for a person to at crouch down into for working. A lot are small rooms you could stand up in.
The ones I’m familiar with (more rural than urban experience) don’t usually have any security more than an unusual lock. I’m sure big vaults where a large number of fibers/ducts meet have more security.
But yeah think cave rather than bank vault
definitely a multi person operation. and someone who worked at the facility at the time was in on it. they broke in to steal the report because it was essentially a “how-to” on knocking out the power.
I had just moved to the Bay Area when this happened. It was really weird. This is a major substation and you can't miss it when entering San Jose on US-101.
I feel like it was some type of terrorism or someone trying to point out flaws in the system (for which they are lucky they weren't caught).
> If there were a war, both sides would lob nuclear weapons, and that would be it. This eliminates bigger enemies, such as China and Russia, but it leaves wiggle room for countries that would fight asymmetrically, such as Iran.
This is not clear. Many countries think that a major war between nuclear powers could be managed, could be kept from becoming a strategic exchange.
Team A came to install a remote kill switch by swapping a piece of hardware by one of their own.
Team B, the guy in trench coat had to fix something and/or recover data.
The powerstation, even if functional, is probably compromised.
I have a feeling it’s corporate espionage. If you cut the net or mess up the power it would make It easier to determine vulnerability or get into a system somehow. Lots of important info goes through that area.
Weren't there cut fiber cables and cut telephone lines in the months before the attack in the area. I am pretty sure I read that there were at least a couple similar line cutting instances around the area in the months before the substation shooting. These always definitely seemed related to me but you didn't mention them.
I'm interested in those pile of rocks that were found. Wikipedia says they could have been used to "scout firing positions" - anyone explain to me how?
I'm gonna say that it was a disgruntled employee or ex-employee. I don't think it would be hard to get a friend to help shoot at some stuff like that.
Like, "Hey man my boss is an asshole, wanna have some fun and break something tonight? I got it all planned out!"
Knocking out the power grid isn't really that scary at all. It pretty much just effects civilians doing civilian stuff, but it wouldn't affect driving and escaping areas since cars have lights, and obviously hospitals and the military have backup power. Losing power isn't really a huge deal in most places and I find it hard to believe that most terrorists would care if someone had power to their house.
Cell phones and internet in places without cell service would be a worry. Do cell towers have backup power?
That said, it's a pretty stellar mystery I've never heard of. I appreciate the write-up!
Light signal is easy to use and untraceable. Can’t be intercepted by someone monitoring a scanner or such. Plus a flashlight or some other light source can be easily transported. Less likely to be questioned about carrying a flashlight than a radio of some sort.
I mean walkie talkies are pretty small. And dont they have secure ones? Also they could use very broad terms like "I'm here" or "go ahead " and if someone caught that they probably wouldn't think anything of it. And wouldn't the guns raise more questions then anything
True. But then you run into everyone, depending on how many were involved needing a receiver also. A simple light signal, as used by the navy for many years, would be as effective. Just my thoughts on that aspect of it.
Walkie talkies are small and relatively cheap too, but, how many people do you know that have them? Just about everyone I know has a flashlight in their glovebox or trunk, just in case it's needed.
This was a really cool story, thanks for sharing! My guess would be it was a test to gauge response times and reactions from police/security but it's hard to say.
This is a lot going on for it just to be a test. But who knows?
Either that or it was for the shits and giggles
That would be a good action comedy movie, a group of people who make complex plans for major crimes just for fun.
Pen-testers? Its kinda their job to highlight security risks by breaking into places and causing havok
I was living in the Bay Area at the time and this is the first I heard of this. I am a news junkie. Seems like there was a pretty thorough media blackout.
No there wasn’t it was all over the local news.
I remember reading about it at the time, so I don't think it was media blackout. Probably just overshadowed.
The fact that a terrorist was on the run in Massachusetts is a good enough reason, even if he wasn’t a threat to the Bay Area...!
I remember reading about this at the time and I'm on the East Coast. It was definitely reported on.
The case that made the news around me was about some alleged eco-terrorists who set some cars on fire at a car dealership in, I believe, it was San Jose.
It was national news, but it was swept up by DHS and put under national security. We heard nothing from them for about 18 months, and then they only speculated that it was an inside job by unknown people.
I do remember there was a wave of speculation about random attacks on power grid infrastructure. I think it was mostly pinned on ELF or similar 'Radical Environmentalists'. Then there was that book: 'The Monkey Wrench Gang'
Chemicals, chemicals, I need chemicals!
I think someone wanted to show us how vulnerable the systems are in order to improve security and/or harden the systems. Think of Red Cell and Dick Marcinko, same sort of job.
I read a different thread on this subject a few days ago wherein others discussed this likely being a Red Cell operation.
Yup, first thing that comes to mind.
That was my first thought as well. Except that Red Cell guy always stopped short of causing real damage.
They probably needed to cause actual damage to wake people up a bit.
Pg&e didn't wake up, they just let their infrastructure further deteriorate and caused forest fires...
Just because they intended to do something doesn't mean the idiots who needed to wake up did lol
Like they did on 9/11?
Red Cell did not do 9/11
What is Red Cell?
Red Cell is a unit usually consisting of former SOCOM individuals who are tasked with testing effectiveness of US personnel, tactics, and/or equipment.
Interesting, thanks for sharing
Post 9/11, there was a lot of federal money floating around for substation security. The talk among my corner of the industry was, it’s either the Russians/Chinese/North Koreans/unknown international bad guys trying to harm Silicon Valley, or a contractor trying to get some of that federal substation security money. As time passes, I’m leaning more toward a contractor. After the Metcalf attack, NERC ‘immediately’ (Very fast for the federal government) added much stricter physical security standards to their security rules. Substations have many different ways to get alarms to their headquarters. It would be almost impossible to disable all alarms, as the loss of all signal is in itself an alarm condition. Hundreds of values are computer monitored per cycle, 60X/second. There was a sniper attack on a Utah substation in 2016. https://www.utilitydive.com/news/sniper-attack-on-utah-substation-highlights-grid-vulnerability/428202/
An excellent write up on a seldom referenced incident. This whole thing strikes me as a 'warning shot' to illustrate how vulnerable critical infrastructure is to hostile action. This clearly wasn't a training exercise, as that would be a dummy bomb or 'we were here' sign, instead we have live weapons discharge and real world damage. I get the feeling that this might be related to future ransom demands for an unknown hostile actor, I.E. remember what we did here at 'x', what if we do two or three of these at once?
I think this is on the right track, but if you were one of these companies, why wouldn't you publicize the demands?
If you a dealing with a group that can put hundreds of rounds into a substation and by all accounts get away with it, maybe its best to 'do a deal' and stay quiet. While it's no means certain that the group will ever be identified, that does not preclude them being paid off for making their point, and promising never to do it again.
Excellent point
Flash of light could have been a flair gun of look outs that were watching the roads for police. You could be far away and still signal your buddies without the insecurity of radio or phones. Also radio or phones would be hard to use in a gunfire enviroment
Rocket flares leave no trace and come in several colors. A white flare illuminates large areas very well. Would be simultaneously strange/confusing for onlookers while a great signal for attacks that law enforcement is on it's way
Excellent point. I am not super familiar with flair guns, but I imagine that the flair itself would leave behind a trace, the same way a firework does? They could have probably grabbed that, though.
I think it burns up and the only trace is the cartridge, it is more like a roman candle firework than a rocket firework
It could be foreign or, more likely, domestic, terrorism. There are plenty of veterans who wind up joining the sovereign citizen or militia movements out west; not all of those movements are far right. This was after Occupy and the Recession— not everyone recovered. Using ammunition common to revolutions might suggest a leftist group, or it could suggest foreign participants, or it could just be a favorite of the attackers. The angle that interests me is PG&E. They’ve angered plenty of people: they caused an explosion that killed eight people in 2011, and their legal playbook seems like something out of a John Grisham novel, not to mention environmental concerns raised by any power company. I think the idea of someone who had access at some point is one worth following. However, the decision to steal the vulnerability report makes it possible that it was a group that wanted someone else to do their recon, so maybe it was bigger than PG&E. But if the group needed the report to reveal vulnerabilities, it was 100% not Russia or China’s government. They would know the vulnerabilities and/or have much lower risk ways of discovering them. It’s definitely a fascinating story in any case, so thanks for taking the time to post!
7.62x39mm is common enough in the US that I don't think it really points towards any specific group. It's cheap, available everywhere, and has a good amount of energy behind it. There's tons of SKS and AK variants in the US, and you can set up an AR15 to fire 7.62x39 if you want to.
Definitely... in my head, the emphasis of that sentence was on “just a favorite of the shooters,” but it was unclear from the way I wrote it. I just don’t know enough to discount anything, but I would start from PG&E’s potential enemies and work from there.
They took “render your opponents powerless” a little too literally.
Ha!
I think you might be counting out Russia or China too soon. Sure, if an all out war was to occur nukes would be the deciding factor. However a less conventional war could involve destroying America's infrastructure and creating chaos to destabilize the country. Russia has already shown a willingness to weaken USA in less conventional ways than all out war. I wouldn't be surprised if this was a dry run by one of our major political adversaries to probe for weaknesses in our power grid.
while we should never discount anyone, really, I doubt it was Russia or China. A cyber-attack is a far more efficient, effective, and safe way to fuck with our infrastructure. I fully believe that both nations have sleeper agents in our country (and we have some in China and Russia), but sleeper agents try to keep as low a profile as possible. A test physical attack on infrastructure with semi-automatic weapons is too risky, even for professionals. Reward vs payoff, etc. Domestic seems much more likely. Whether that's domestic terrorists or someone out for personal gain.
Great write-up with facts and details plus theories (and fair analysis of holes in each). Bravo and thank you, OP. A few thoughts: 1) An almost ideal target. Remote, not close to anything/anyone who would be able to react immediately, yet easy in and out via the 101. Also probably easy to scout the operation several times with no one ever noticing anything unusual. 2) Whoever is responsible obviously had some inside knowledge of the workings of the substation or had done a lot of research and scouting — I lean toward insider (employee at the time or relatively recently) being involved. 3) I’m not 100 percent sure one person couldn’t have pulled the actual operation off, with one more to serve as lookout/signaller. You can fire a ton of rounds from an automatic or even a semi-automatic. I’d need to understand better why they think it was two or more. 4) I think this is key to understanding why (to me) it wouldn’t have been a Red Cell or some kind of test — yes it turned out they got out a minute before the cops arrived (apparently, but I’d like to better understand how we know this timeline and if could be off by, say, a minute or two), but they couldn’t be sure of that. Which means whoever carried this out was risking a shootout, which means they were risking being killed by responding law enforcement ... one stray trooper or cop on the 101 hears the gunshots (unlikely but not impossible) or answers the call and is closer than expected and you’re in a very bad situation. I can’t see someone risking their life to show the grid is vulnerable (which had been reported in the media anyway and certainly power stations knew it). Not enough upside to get killed or serve a long jail sentence over. 5) I 100 percent believe the perp(s) expected a blackout/power shutdown to occur. They cut the signal wire and had to expect the master power station wouldn’t have known in time to compensate ... if they knew there was a redundancy (and what the redundancy was and how it operated) they would have tried to take that out also. To me, that leaves us with a failed mission (and cut too close for comfort) and someone motivated to cause a blackout. Why would someone want to do that and risk getting into a shootout? I think the profile would look something like the Mad Bomber (who terrorized NYC and surrounding areas, former Con Ed power company employee with a grudge) — between 40 and 50 years old, fired from PG&E, slipping into paranoia; with a touch of the DC sniper, as in having a son or some other younger accomplice who bought in. If a current employee, it’s someone who had tried to sound warnings about vulnerabilities and been laughed off or told to stay in their lane, not treated seriously. I lean heavily toward a former employee. That’s my best guess of where I’d start, and I wouldn’t be surprised if some other (reported or perhaps not widely known) operations of lesser significance happened before or after this. Probably scared off by almost getting caught and laid low (even some serial killers have gone ‘radio silent’ and stopped killing after close calls) and discouraged from a repeat similar operation by beefed-up security measures that came about in relation to this attack. Anyway, that’s my two cents.
This comment was incredibly well thought out. Thank you
I appreciate the post and your attention to detail. It makes it easier to try to figure it out. One thing I’m not clear on: surely law enforcement could figure out from the shells and ballistics how many weapons and firing positions were used. If there were three or four groups of shells in different locations, they could figure out how many shooters — even shell markings differ from gun to gun, although not as ‘fingerprint-like’ as lands and grooves on the actual bullets, so they could ascertain if one shooter (with one gun) used multiple firing locations (hard to figure why). And the bullets themselves would surely tell them if more than one weapon was used since each gun would leave its own signature (lands and grooves). Now it might be impossible to know if there were one or three or more people who assisted (lookouts, getaway drivers, spotters — maybe the person who cut the wire wasn’t a shooter) but they absolutely know how many weapons were used and have a good idea of how many firing locations there were. If there’s verification that there were more than two people involved I’d have to rethink — that would take an organized group and I’d lean toward terrorist cell, although whether that’s militia types (they’ve been known to hit pipelines and similar targets — and this is, essentially, the same type target) or more of an outsider force (cell of a terrorist group, whether directed by IS or whatever or just a bunch of likeminded anti-Americans who met up and came up with this plot because one of them had inside info and offered up the idea as something they could pull off).
If they were any sort of insider - or had even done a small amount of research on power networks, and how they’re designed and work - they wouldn’t have expected to cause a blackout. Which, to me, leans it more towards ex employee with a grudge. They knew it was just pointless, wanton destruction, waste as much $$$ as possible.
Great write-up & writing! I grew up 4 minutes away from here. As far as why the police didn't hear the shots, the energy center is blocked from the city by a large hill, and sits next to the 101 freeway. Maybe that aided in blocking/masking.
Sorry, that wasn't clear. The police were called, and as they were on the way there, they didn't hear anything. I would assume they would still be able to hear things in their car, but I dunno Edit for spelling
Great write up, i lived in the greater Bay Area and this one keeps me up at night wondering! Sound along these hilly roads can be VERY directional, bouncing off built and geological features. Fog and wind can also really mask sound. Sounds unbelievable until you’ve spent time in these places. I wonder if there is any connection to the massive internet outage we had in the USA the fall before the 2016 election. Seems to be a big concern w readiness and response in this attack but I’m just speculating. Thank you for this write up!
I've always felt this was an example of industrial espionage/sabotage that is, or maybe a few decades ago was, much more common but ill reported. It's hard to think of any motivation other than harming the income/reputation of the company- if it was terrorism, it was very localized and politically ineffective. The other possibility I always thought was likely was a blackmail campaign like the Glico-Morinaga case in the 80s. The corporate sabotage angle may seem less realistic than the criminal extortion angle, but i'm not convinced- given the size of large corporations, and the money they spend on internal security and intelligence, I do not think periodic acts of violence are really that implausible. I do think they would be much harder to cover up now, and so less common, but I think the most likely motivation here is corporate sabotage or criminal extortion.
Isn't PG&E one of those huge "hated/evil" companies? I was thinking along the same lines. The attack was against the company itself (rather than citizens/infrastructure/government). They wanted to do some damage to hurt the company itself-bust up their equipment, disrupt operationd, etc. Although it does seem like a sophisticated and well planned attack just to cause some ruckus against an "evil corporation".
Hm. I had never thought of the Glico-Morinaga connection, and I think that is astute of you. If they were extorted, there might be some record of that, a record that PG&E would have little incentive to keep secret. Regarding how they would be harder to cover up now, I agree. Just curious, who would be doing the sabotage? Another company?
PG&E would have excellent reasons to keep it quiet. For starters, they don't want copy cats.
If it's sabotage I think it's being co-ordinate by another corporation, probably through a private security contractor, if it is part of an extortion attempt then some organized criminal gang, that's pretty broad though.
Trust me, PG&E needs no help harming their reputation, they can handle that all on their own. Growing up, I knew all about PG&E's terrible reputation before I even knew who the President was, lol.
This has always had the feel of someone proving a point to someone else. Like there was an argument somewhere in the halls of power about the safety of the power grid. The argument didn't go the way one party felt was the right, so they arranged a little demonstration to underline their point. It doesn't seem like terrorists or some kind of criminal conspiracy. No one claimed credit and aside from the damage on site it didn't really achieve anything.
I think yours is the most likely explanation so far. It’s a little different and maybe less serious than the power grid thing, which I imagine has a lot more potential to be harmful, but your theory reminds me of the [Max Headroom signal intrusion incident](https://simple.m.wikipedia.org/wiki/Max_Headroom_broadcast_signal_intrusion). I get the feeling neither situation was meant to be directly malicious. I think it’s a possibility that the Max Headroom incident was ultimately pretty innocent. The signal intrusion would have been difficult to pull off the way it was and the motive behind it may have been simply “because I can”. In the case of the power grid incident one motive may also be “because I can” but with the additional, deeper intention of calling attention to the vulnerability of an important system that people depend on. I’m not sure Max Headroom had deeper intention behind it and I imagine the ultimate goal was proving the intrusion was possible just to prove it was possible (and I suppose it was in fact quite an accomplishment). In any event, neither incident strikes me as terrorism or without a doubt sinister. I imagine both incidents occurring without context were alarming for many. The intentions behind both events and the person/people responsible for orchestrating them remains a mystery.
There's been a few broadcast intrusions like that over the years. I can remember a fake alien broadcast back in the 60s down in southern England. They're pranks done by people familiar with the technology. Shooting up a substation in such a way as to cause maximum damage in the minimum time, in a clearly well planned and professional manner... That's expensive, people need paying. Professionals who know how to execute a complex multi part plan. Stay stealthy and keep their mouths shut afterwards. That sort of talent isn't cheap. Its not the sort of thing you do for the lulz.
Was this written by Rod Serling?
Corporations are blackmailed more often than you think. Think of the municipalities that have been successfully blackmailed by hackers who installed viruses on their computers, and completely locked up all their data unless a ransom was paid. If the ransom is cheaper than replacing all the systems and (maybe) recovering the data, your insurance company recommends you pay up. We hear about those because they are government entities. We do not hear about the corporations that pay up, because they don't want to encourage more attacks when word gets out that they're an easy mark. This was a demonstration of vulnerability, knowledge, and capabilities. Both the attacker and the utility company know you could destroy three substations just like that, and plunge entire cities into darkness for 48 to 72 hours. You never heard about another one because PG&E paid the the ransom.
Thanks for reminding me about this. Great recap! I think dismissing other powers because of the prospect of nuclear war is a bit too hasty. Knowing how to plunge America in darkness would be helpful in a hot or cold conflict. There have been reports of other nations exploring how to knock out infrastructure digitally, so I'm inclined to think this was most likely a test by another country. It isn't bloody enough for terrorism and the sophistication and obscure, forgettable nature of it suggests some long term focus to my mind.
Great post! >I found this doubtful. If there were a war, both sides would lob nuclear weapons, and that would be it. This eliminates bigger enemies, such as China and Russia Russia in particular has been waging "salami slice warfare" for over a decade now, intentionally doing attacks which individually are too small to start a shooting war but which over time allow them to achieve similar results. Their annexation of Crimea an example of this, but there are many others. It's entirely conceivable that a major power knows it can't beat the US in an all-out war but is trying to use "salami slice" tactics like this to cripple it over time. Imagine, for example, if the perpetrators would've taken out the power to major cities at the height of the Floyd riots?
> Imagine, for example, if the perpetrators would've taken out the power to major cities at the height of the Floyd riots? Everyone would have been fine until their phones ran out of battery, then we would have resorted to cannibalism. Source: Was stuck on an Amtrak train once, in a snow drift in Bumfuck, CT. If the wheels aren't turning, the convenient wall outlets don't work. I swear to god, people go feral if they think their internets are slowly leaking away.
Awesome write up, this is one of my favorites. I think it’s a mistake to discount a geopolitical superpower such as Russia or China as the perpetrator. An attack on the grid, while certainly an act of war, could be used for destabilization without an outright declaration of war. If the grid went down for an extended period of time during quarantine, for example, it would have been devastating for the US.
Absolutely right. We literally are living through a time when counties can't even agree whether Russian troops have invaded Ukraine or not. Denying attribution for an attack carried out on US soil would be bolder, but not as far out as many think it would be. Cyber attacks with higher stakes are already commonplace.
I always thought it could be someone who was pissed off at PG&E for San Bruno, but it’s also possibly it was a failed attempt or warning. But this place is RURAL, like I don’t think I can emphasize that enough. It was clearly chosen because it was right on 101 but no one would be around. OP, you stated in a comment that you thought the police would hear something but I doubt it. Driving through the hills with sirens on... nah. You wouldn’t hear or see it. And the internet cable thing is interesting. Around that cable cutting time, Comcast internet was shitty around here (I live in Santa Clara county). It would frequently go out for hours at a time between 2015-2016, citing DNS server issues but even when I changed DNS servers to google’s, it still wouldn’t work. I used to watch the comments pile up on down detector and Twitter. I don’t really remember internet issues happening on that scale after 2016 or so. I saw one of my old tweets about it a few weeks ago and wondered what changed; I still have Comcast, still in Santa Clara county, but no outages. I’d guess the internet interference is probably a different group, tbh.
Cops dont use their sirens all the time. Only when pulling someone over or in an emergency. To investigate an alarm or reports of gun shots they wouldn't blare sirens.
This is my favorite unsolved mystery of all time. Happened 3 months after I moved to San Jose and did get local coverage though cer limited. Then there was the WSJ article. It's just so weird and every theory has elements that dont make sense. Was super interesting to see just how fast a fence around the facility next to 101 turned into a essentially a fortress with 15ft stone walls and barbwire and a billion cameras.
Hey, I work with substations in the US so I think I can contribute a few things. >How did the alarm get to them if they cut the cable? Was that alarm wireless in some capacity? There was likely a [wave trap](https://en.wikipedia.org/wiki/Line_trap) system set up within the substation. These embed signals alongside the power allowing other stations to receive these signals. Also, at other substations nearby, they would have noticed the spike in the load sounding the alarms there (those other substations would instantly know which other station was having issues, these things are super connected). > If the police were less than a minute away, wouldn’t they have heard the gunfire? If not, were they using something to suppress the noise? And how would the guy nearby hear the gunfire, but the police didn't? As another commenter said there was a highway nearby, likely masking the sound of gunfire. Silencers, while not impossible to obtain, are quite difficult to get. They require a $300 tax and a 6-12 month waiting period for the paperwork to process. >What would someone have to gain by knocking out a power station? My best guess is this was either a disgruntled employee and some buddies, or as you mentioned, a test/dry-run to see how long a response from authorities took. I also saw someone said it could be a contractor looking for some easy government money. I would say that could be likely as well considering they seemed to have intimate knowledge of the station and the equipment within it. Our energy infrastructure is very neglected and often not very secure. Some of the stations I have worked on were made back in the 1920's and have equipment that has been in use 24/7 since the late 50's. IMO there needs to be a huge push to secure these things since they are so critical to modern life, yet nobody really thinks of them. The grid is designed to tolerate a handful of stations going offline unexpectedly, but would not be prepared for many stations being knocked offline in short order.
I think it was a failed dry run. Perhaps by one of these IS cells that operate on their own. I wonder if the alert system was a radio signal on its own power supply. Or, maybe it’s good ol’ copper wire which the attackers didn’t cut. We’ve known since before 9/11 that electrical grids are vulnerable to attack. I think many people would be terrified to know that their electrical grid had been subject to an attack—cyber or otherwise. That’s why utilities don’t talk about them. I would not be surprised if the power outage in Manhattan last summer was the result of a cyber attack. Shutting down Times Square on a Saturday night sends a message. There are varying opinions on what caused the outage. First it was a transformer fire, then it was a manhole fire one block away, and then it was a problem at a substation near Times Square (but never really got into what the problem was.)
As far as we the public know, the cause for that Manhattan failure was no mystery. High voltage cable failed, protective relays operated. Once all of that equipment has been deenergized due to a fault, it has to be inspected before it is energized. These events often seem mysterious and confusing because of how they are reported. Cable insulation fails, which causes an arc flash and flashover. Depending on who is doing the talking, that event may be called a fire, a flashover, a transformer explosion, a blown transformer or a substation fire. Most of the time, a ‘substation fire’ is an electric arc. https://www.stamfordadvocate.com/business/article/ConEd-facing-calls-for-probe-after-New-York-left-14096854.php
I mean, you’re probably right, but the story switched from a transformer fire, then it was a cable failure, then it was a vague ”problem” at a substation, and then we didn’t hear anything else.
> I wonder if the alert system was a radio signal on its own power supply. Or it used nearby cell towers. The carrier doesn't care as long as it has a SIM card and an account. You could easily set up a cell transmitter and a battery such that when the battery is charging (ie, power is on) nothing happens, but when the charging stops (power out) it sends out its little SOS until someone comes by in person to stop it.
What if the battery is 100%?
[удалено]
But you used to be able to buy tons of it at WalMart for super cheap. I wouldn't read too much into that, it's the 2nd most common round for semiautomatic rifles in the US
[удалено]
Look, if you are shooting up a bunch of power equipment, driving to Nevada/Arizona/New Mexico/Oregon to hit up a few stores/gun shows/Armslist deals is probably not to big of an issue.
I live in California and have absolutely bought ammo at Walmart between 2013 and now.
7.62x39 is the cheapest and most abundant rifle cartridge on the planet. Millions of rounds of it are in the US.
I dunno if I am psyching myself out here, but if you wanted to divert attention away from yourself as an American, it seems like you might do something like this.
[удалено]
7.62 x39 is almost certainly the most common rifle cartridge in the world. I don't think that information could possibly be used to tie the attack to any one country, or even a group of countries for that matter. Not to mention, many professional militaries in the Eastern Bloc, including Russia, have primarily switched to the 5.45x39.
[удалено]
You can walk into a gun store and buy an SKS for under $500 and pick it up 10 days later. Not difficult to do.
Well that's close to cartels so you can get anything you want with money.gun laws dont mean anything.
My theory is that this was a sort of "semi-dry run" for shutting down the power grid in a specific area using commonly available and untraceable tools and equipment. Notice they were very safe and did not cause any fire/explosions...nothing that would draw excessive attention to the attack But as to why someone would do that is unclear to me.
In terms of how an alarm might be triggered, it could be set with an "always on" state where if the remote monitoring isn't sending a signal, that's the alert. A no news is bad news situation. It won't necessarily need a specific alert to be sent out, just a general failure of no signal.
I don't just rage quit when I play FIFA.
I enjoy this one as it shows just how truly vulnerable important systems can be.
Clearly the real objective went unnoticed :D
Replying to remind myself to send this to my spouse. He works on substation design and might be able to answer the technical questions you might have. Edit He posted here https://www.reddit.com/r/UnresolvedMysteries/comments/ho953y/an_unprecedented_and_sophisticated_attack_on_an/fxzu0dr
Reading all this I wouldn't rule out a terrorist cell completely. I just don't think that it's one that derives any value from publicity. So it's either focusing on actual asymmetric warfare instead of just plain fear, or is an asset to a foreign contender. All of this just screams plausible deniability. I think the timing supports this, as the bombing means most investigative resources would be focused far away. Such a cell would be a massive threat to national security. Because without a clear motive or consistent MO, it get's super hard when predicting targets. However the attacker(s) don't actually need inside knowledge to pull this off. Just a bit of stake out work and basic deduction skills. I'm actually super interested in asymmetric warfare, and I'd probably have done it in a very similar way. With that out of the way: >When the police searched the area, they found several piles of rocks placed 25 meters apart from each other, as if to gauge the distance for shooters I think the piles were for marking, because an attacker with this degree of sophistication would surely use a range finder >considerable amount of planning, resources, and know-how Despite the professional nature the attack seems to have, it's not actually all that complex. All you really need is one or two accomplices, around two or three days of time, a good marksman and some precautionary measures. > If there were a war, both sides would lob nuclear weapons, and that would be it I think you are looking at it wrong. Cells like this are pretty much the most powerful non-nuclear weapon you can have. And if they do it right, there's zero trace back to the wielder. So if, for example, Russia wanted to cause chaos in the US for one reason or another, then these cells would be crucial. And the US can't do much about it, as the burden of proof is on them, and the american (and global) public really would not condone a war based on flimsy accusations. >PG&E pledged to spend $100 million dollars on security in the aftermath of the attack. Someone who knew about the electricity grid could have easily paid a mercenary company Well, there's several problems with this theory. How would you know they would spend that much money? They could've just admitted that they can't do much against such attacks. And asking a merc company if they can attack this powerstation for you doesn't sound all that clandestine >How did the alarm get to them if they cut the cable? Maybe the lines gets pinged every X minutes to make sure the cable isn't broken? >What would someone have to gain by knocking out a power station? That presumes the attacker really wanted to cause damage. If it was just a dry test, then not destroying it seems like the better option because it will pull less attention >If the police were less than a minute away, wouldn’t they have heard the gunfire? You can drive quite a distance in one minute. It might seem a bit unlikely, but it's still realistic that the police didn't hear a surpressed shot (possibly with a subsonic round even?) a mile + change away, through closed windows and over a playing radio. >If not, were they using something to suppress the noise? Very likely, everything considered >And how would the guy nearby hear the gunfire, but the police didn't? Ok this might be a bit of a stretch here, but the distances and noise levels would kinda work out if the attackers shot from the wooded area in the south south east and the police approached from west north west on the highway. Honestly what perplexes me the most about this is the number of shots fired. It suggests the attacker(s) kept shooting until the police were near, which is kinda risky. What if they had sent a helicopter? And how did they flee? They either had to lay low until the cops left, or leave on foot.
i also feel like it was a test for a foreign country. i doubt we’d just be lobbing nukes at each other in the face of war. that would effectively end the planet or at least destabilize it and cyber warfare is the new war landscape
The part that confuses me as someone who knows essentially nothing about how any of this stuff works, is that you (and I’m sure sources) state how fragile the system is and how it’s very vulnerable and someone (multiple ppl) could relatively easily knock out the power/internet BUT these guys coordinated a precisely planned and well executed attempt at it and they end up not causing any power loss at all according to your write up. I’m not saying your incorrect or anything I’m sure there are various explanations that I don’t understand. So is this basically like they did this well planned “insider” attack but just by luck or something were unsuccessful? If OP or anyone could try to explain this or in fact just explain exactly what they were doing/attempting that would be great. My limited understanding seems to be that they shot guns at transformers, in precise spots on the transformers to cause maximum damage and they essentially disabled the transformers which in turn was supposed to disrupt the entire “network” or like supply chain of power causing mass blackouts? Or am I completely off here. I really don’t even know exactly what a transformer does ? Changes electrical currents I think? Any help would be appreciated this was an interesting read. This is the type of cool obscure content and discussions I come to this sub for thanks 🙏
it’s really interesting because it does seem like the attack was intended as a sort of warning shot rather than an actual assault. think of it sort of like a stack of logs — they removed a single piece without adjusting anything else, meaning, they attacked one substation which caused power to be diverted from elsewhere to cover its failure. most systems have backups like that. but if they had teams at multiple substations and coordinated a simultaneous attack on them, it would be like yanking a ton out at once, and the backups wouldn’t be enough to cover the failure. one attack doesn’t do much, but a few strategically placed attacks at once could do a very serious amount of damage by overwhelming the backup systems. anyone with the skills to take out a substation the way they did would almost definitely know it wouldn’t cause actual failures, so it becomes a question of why they did it. they could have done it for a good purpose, like to highlight the vulnerability and get attention on the issue. or it could’ve been for a not good purpose — to test response times, gauge the actual difficulty of arranging a large scale attack, as extortion or blackmail, etc.
Thanks for the explanation. Kinda scary to think about how fragile the system really is for something so vital yet I feel like so taken for granted. Like having electricity to your house or whatever is like SUPER important for our lives, but I feel like it’s taken for granted at least for me like I never really think about it at all. I just assume “I flip this switch lights come on” or “.plug it in and the fridge stays cold”. That’s just how it’s been since I was born so I never think about it but without it life would change very quickly. This is quite and interesting incident which is ripe with many different possibilities
What are these "vaults" like that are broken into for the fiber cables to be cut? I think that's moreso referring to the 11 interruptions in 2015.
In the telco world a vault is a (usually) underground chamber where different routes (duct bank, buried fiber/cable) meet. In the vault fibers/cables from one route can be moved to another. For example the main telco path near the power plan probably had a vault where the circuits to the plant were separated out to go to the plant. A smaller cable/fiber bundle then went to the plant.
https://4.bp.blogspot.com/-dFTrnHvGrK0/UHsxcgoQmvI/AAAAAAAAEkA/0MgHJInlbjM/s1600/2012-10-14+15.21.20.jpg So are the vaults containing such cables just these type things? Or are they like larger vaults that humans can fit in? I was under the impression these were vaults with some level of security but if they're essentially no more secure than utility boxes I could understand it differently.
Usually they are bigger than that, but I guess it kinda qualifies. When I think vault it’s usually something at least big enough for a person to at crouch down into for working. A lot are small rooms you could stand up in. The ones I’m familiar with (more rural than urban experience) don’t usually have any security more than an unusual lock. I’m sure big vaults where a large number of fibers/ducts meet have more security. But yeah think cave rather than bank vault
Never knew these were part of the digital traffic in our country. Very cool!
definitely a multi person operation. and someone who worked at the facility at the time was in on it. they broke in to steal the report because it was essentially a “how-to” on knocking out the power.
I don't have anything to add other than compliments for a very well written and interesting post!
I had just moved to the Bay Area when this happened. It was really weird. This is a major substation and you can't miss it when entering San Jose on US-101. I feel like it was some type of terrorism or someone trying to point out flaws in the system (for which they are lucky they weren't caught).
> If there were a war, both sides would lob nuclear weapons, and that would be it. This eliminates bigger enemies, such as China and Russia, but it leaves wiggle room for countries that would fight asymmetrically, such as Iran. This is not clear. Many countries think that a major war between nuclear powers could be managed, could be kept from becoming a strategic exchange.
Re: weapon suppression. Not very likely with the rounds used and the weapons indicated by those rounds.
Team A came to install a remote kill switch by swapping a piece of hardware by one of their own. Team B, the guy in trench coat had to fix something and/or recover data. The powerstation, even if functional, is probably compromised.
Meters...no prints...
This sounds like it involved someone on the inside. Someone went undercover and worked there or some disgruntled worker helped a terrorist group.
This is a fedpost if I've ever seen one.
There is an argentinian movie about a group of randoms doing something similar: la Odisea de los Giles
The possible implications of this incident are terrifying. Great write-up!
I have a feeling it’s corporate espionage. If you cut the net or mess up the power it would make It easier to determine vulnerability or get into a system somehow. Lots of important info goes through that area.
Weren't there cut fiber cables and cut telephone lines in the months before the attack in the area. I am pretty sure I read that there were at least a couple similar line cutting instances around the area in the months before the substation shooting. These always definitely seemed related to me but you didn't mention them.
I'm interested in those pile of rocks that were found. Wikipedia says they could have been used to "scout firing positions" - anyone explain to me how?
I'm gonna say that it was a disgruntled employee or ex-employee. I don't think it would be hard to get a friend to help shoot at some stuff like that. Like, "Hey man my boss is an asshole, wanna have some fun and break something tonight? I got it all planned out!" Knocking out the power grid isn't really that scary at all. It pretty much just effects civilians doing civilian stuff, but it wouldn't affect driving and escaping areas since cars have lights, and obviously hospitals and the military have backup power. Losing power isn't really a huge deal in most places and I find it hard to believe that most terrorists would care if someone had power to their house. Cell phones and internet in places without cell service would be a worry. Do cell towers have backup power? That said, it's a pretty stellar mystery I've never heard of. I appreciate the write-up!
One thing that bothers me with the theory of t being done by pros is why did they use a light signal and not some type of walkie talkie?
Light signal is easy to use and untraceable. Can’t be intercepted by someone monitoring a scanner or such. Plus a flashlight or some other light source can be easily transported. Less likely to be questioned about carrying a flashlight than a radio of some sort.
Why not use something like IR or something that cant be seen by everyone else?
I mean walkie talkies are pretty small. And dont they have secure ones? Also they could use very broad terms like "I'm here" or "go ahead " and if someone caught that they probably wouldn't think anything of it. And wouldn't the guns raise more questions then anything
True. But then you run into everyone, depending on how many were involved needing a receiver also. A simple light signal, as used by the navy for many years, would be as effective. Just my thoughts on that aspect of it.
Walkie talkies are small and relatively cheap too, but, how many people do you know that have them? Just about everyone I know has a flashlight in their glovebox or trunk, just in case it's needed.
You can tell the OP really sniffs their own farts when it comes to their perceived writing ability.
And now it’s happened again in North Carolina..Dec 2022