The cyber-attackers that targeted Ukraine's energy distribution infrastructure in December were "highly structured and resourced," taking down than 27 substations in an attack against Ukrainian power companies, according to a report released by the Electricity Information Sharing and Analysis Center (E-ISAC) on March 21.
Three separate energy companies—known as "oblenergos"—all came under attack on Dec. 23, 2015, blacking out power to 225,000 customers. While the companies restored power within a few hours, destructive programs erased much of the data and slowed power companies' efforts to investigate the incident, similar to previous attacks that had targeted oil-and-gas giants Saudi Aramco and RasGas as well as entertainment firm Sony Pictures, three investigators from cyber-security company SANS Institute stated in the report.
"This is an escalation from past destructive attacks that impacted general-purpose computers and servers," they wrote. "Several lines were crossed in the conduct of these attacks as the targets can be described as solely civilian infrastructure."
The attackers used a variety of common techniques to infiltrate the energy companies' systems, such as spearphishing, malware-laden Microsoft Office documents and a common malware program known as BlackEnergy 3.
However, they also created custom malware that shut down the energy firm's distribution substations. In addition, the attackers targeted the call center for the Ukrainian electricity-distribution firm Kyivoblenergo, making it more difficult for customers to report outages.
Three investigators from the SANS Institute—Robert M. Lee, Michael Assante and Tim Conway—worked with the Electricity ISAC to investigate the outage and produce the report.
The Ukrainian electricity distribution company is not the only critical infrastructure provider to suffer from a cyber-attack aimed at creating physical consequences. A water utility suffered a compromise in 2015 in which attackers gained access to its operational systems, routed sewage into drinking water, and increased the levels of chlorine in the water, according to Verizon's Data Breach Digest released in early March.
While the Ukrainian government blamed Russia for the attack, the E-ISAC report did not focus on linking the incident to any particular group or nation. However, the investigators did call the attacker, "a highly structured and resourced actor." The attackers used a destructive attack, known as KillDisk, which deleted data on the victims' hard drives, an increasingly common technique in nation-state-attributed attacks.
The investigators refuted public theories that the outage could have been a side effect of the destructiveness of the attack.
"Regardless of the impact [on] the SCADA network environment, neither BlackEnergy 3 nor KillDisk contained the required components to cause the outage," the investigators wrote. "The outages were caused by the use of the control systems and their software through direct interaction by the adversary."