Hackers Infiltrated Ukrainian Power Grid Months Before Cyber-Attack
While attackers caused the outage, the energy companies had left plenty of weaknesses for them to target. A variety of information on the SCADA (supervisory control and data acquisition) hardware deployed in the distribution company's network was available online. The company also failed to put two-factor authentication on its Virtual Private Networks. The three companies were likely targeted because of their significant use of automation in controlling their electricity-distribution systems, investigators said. In all three attacks, the methods used by the attackers were similar. By using a Microsoft Word or Excel document with BlackEnergy 3 embedded in the file, the attackers sent victims email messages that appeared to come from people they knew. Such spearphishing attacks are a common and effective way to infect employees' computers. A recent poll by Tripwire of 150 IT professionals in critical-infrastructure industries found that 100 percent of executives thought that a cyber-attack could cause physical damage to their systems. "There can be no doubt that there is a physical safety risk from cyber-attacks targeting the energy industry today," Tim Erlin, director of IT security and risk strategy for Tripwire, said in a statement. "While the situation may seem dire, in many cases there are well-understood best practices that can be deployed to materially reduce the risk of successful cyber-attacks."In the Ukrainian power networks, attackers had control of systems within the energy companies for more than six months, according to the SANS report. They immediately harvested credentials and escalated privileges to move from computer to computer within the network. The attackers then moved quickly to the operational side of the network, compromising SCADA dispatch stations. At this stage, the attackers reconnoitered the victims' networks to determine what type of industrial-control hardware systems the energy firms' were using. The report recommended that critical infrastructure firms train their end user to be more aware of security threats, such as phishing, but noted that technologies, such as application whitelisting, would have had a limited impact on the attacks. Network segmentation and directory segmentation could go a long way to disrupting attackers' operations in the future, the report stated. Companies should also evaluate Virtual Private Network access and only allow critical connections through a DMZ. "Infrastructure defenders must be ready to confront highly-targeted and directed attacks that include their own ICSs [Industrial Control Systems] being used against them, combined with amplifying attacks to deny communication infrastructure and future use of their ICSs," the investigators said. "Nothing about the attack in the Ukraine was inherently specific to Ukrainian infrastructure."
A third of respondents in the Tripwire study acknowledged that some threats escaped their security monitoring systems, while a third of those polled believed they could catch every threat.