The cyber-attackers that targeted Ukraine’s energy distribution infrastructure in December were “highly structured and resourced,” taking down than 27 substations in an attack against Ukrainian power companies, according to a report released by the Electricity Information Sharing and Analysis Center (E-ISAC) on March 21.
Three separate energy companies—known as “oblenergos”—all came under attack on Dec. 23, 2015, blacking out power to 225,000 customers. While the companies restored power within a few hours, destructive programs erased much of the data and slowed power companies’ efforts to investigate the incident, similar to previous attacks that had targeted oil-and-gas giants Saudi Aramco and RasGas as well as entertainment firm Sony Pictures, three investigators from cyber-security company SANS Institute stated in the report.
“This is an escalation from past destructive attacks that impacted general-purpose computers and servers,” they wrote. “Several lines were crossed in the conduct of these attacks as the targets can be described as solely civilian infrastructure.”
The attackers used a variety of common techniques to infiltrate the energy companies’ systems, such as spearphishing, malware-laden Microsoft Office documents and a common malware program known as BlackEnergy 3.
However, they also created custom malware that shut down the energy firm’s distribution substations. In addition, the attackers targeted the call center for the Ukrainian electricity-distribution firm Kyivoblenergo, making it more difficult for customers to report outages.
Three investigators from the SANS Institute—Robert M. Lee, Michael Assante and Tim Conway—worked with the Electricity ISAC to investigate the outage and produce the report.
The Ukrainian electricity distribution company is not the only critical infrastructure provider to suffer from a cyber-attack aimed at creating physical consequences. A water utility suffered a compromise in 2015 in which attackers gained access to its operational systems, routed sewage into drinking water, and increased the levels of chlorine in the water, according to Verizon’s Data Breach Digest released in early March.
While the Ukrainian government blamed Russia for the attack, the E-ISAC report did not focus on linking the incident to any particular group or nation. However, the investigators did call the attacker, “a highly structured and resourced actor.” The attackers used a destructive attack, known as KillDisk, which deleted data on the victims’ hard drives, an increasingly common technique in nation-state-attributed attacks.
The investigators refuted public theories that the outage could have been a side effect of the destructiveness of the attack.
“Regardless of the impact [on] the SCADA network environment, neither BlackEnergy 3 nor KillDisk contained the required components to cause the outage,” the investigators wrote. “The outages were caused by the use of the control systems and their software through direct interaction by the adversary.”
Hackers Infiltrated Ukrainian Power Grid Months Before Cyber-Attack
While attackers caused the outage, the energy companies had left plenty of weaknesses for them to target. A variety of information on the SCADA (supervisory control and data acquisition) hardware deployed in the distribution company’s network was available online. The company also failed to put two-factor authentication on its Virtual Private Networks. The three companies were likely targeted because of their significant use of automation in controlling their electricity-distribution systems, investigators said.
In all three attacks, the methods used by the attackers were similar. By using a Microsoft Word or Excel document with BlackEnergy 3 embedded in the file, the attackers sent victims email messages that appeared to come from people they knew. Such spearphishing attacks are a common and effective way to infect employees’ computers.
A recent poll by Tripwire of 150 IT professionals in critical-infrastructure industries found that 100 percent of executives thought that a cyber-attack could cause physical damage to their systems.
“There can be no doubt that there is a physical safety risk from cyber-attacks targeting the energy industry today,” Tim Erlin, director of IT security and risk strategy for Tripwire, said in a statement. “While the situation may seem dire, in many cases there are well-understood best practices that can be deployed to materially reduce the risk of successful cyber-attacks.”
A third of respondents in the Tripwire study acknowledged that some threats escaped their security monitoring systems, while a third of those polled believed they could catch every threat.
In the Ukrainian power networks, attackers had control of systems within the energy companies for more than six months, according to the SANS report. They immediately harvested credentials and escalated privileges to move from computer to computer within the network.
The attackers then moved quickly to the operational side of the network, compromising SCADA dispatch stations. At this stage, the attackers reconnoitered the victims’ networks to determine what type of industrial-control hardware systems the energy firms’ were using.
The report recommended that critical infrastructure firms train their end user to be more aware of security threats, such as phishing, but noted that technologies, such as application whitelisting, would have had a limited impact on the attacks.
Network segmentation and directory segmentation could go a long way to disrupting attackers’ operations in the future, the report stated. Companies should also evaluate Virtual Private Network access and only allow critical connections through a DMZ.
“Infrastructure defenders must be ready to confront highly-targeted and directed attacks that include their own ICSs [Industrial Control Systems] being used against them, combined with amplifying attacks to deny communication infrastructure and future use of their ICSs,” the investigators said. “Nothing about the attack in the Ukraine was inherently specific to Ukrainian infrastructure.”