Analysis: Ukraine grid hack is wake-up call for network operators

The attack on 23 December has been described as a major milestone in cyber security. It is the first known power outage caused by hackers and also the most complex cyber attack on infrastructure to date.

“This incident is a milestone because it is the first major cyber attack to substantially affect the civilian population and because of the overwhelming importance of the grid to multiple reliant sectors,” said US cyber-security firm iSight Partners, which has been investigating the incident.They attributed the attack, which affected 80,000 people in western Ukraine, to a Russian hacking group known as Sandworm.

Two types of malware were found on the affected utility networks: BlackEnergy 3, which the US Department of Homeland Security’s Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) said infiltrated the utilities’ networks via an infected Microsoft Word email attachment, and KillDisk, which was used to wipe out systems for remote monitoring and control.

The malware, however, was just one part of the overall masterplan. Analysis by US cyber-security firm SANS ICS, found that the BlackEnergy 3 malware only enabled the attackers to blind operators and open gateways into the systems, while the KillDisk attack made it impossible to switch power back on remotely once the breach was detected.

The firm believes the actual act of disconnecting substations from the electricity grid was carried out remotely by the attackers themselves. Ukrainian utilities Kyivoblenergo and Prykarpattyaoblenergo were among the affected electricity suppliers.

To make matters worse, the perpetrators subsequently flooded the companies’ service centres with calls to make it impossible for customers to report the outage. Power was only restored after the utilities switched to manual operations and disconnected the infected workstations and servers from the network.

“The attackers demonstrated planning, coordination, and the ability to use malware and possible direct remote access to blind system dispatchers, cause undesirable state changes to the distribution electricity infrastructure, and attempt to delay the restoration by wiping SCADA [supervisory control and data acquisition] servers after they caused the outage,” SANS ICS director Michael Assante wrote in a blog post published on the company’s website.

“This attack consisted of at least three components: the malware, a denial of service to the phone systems, and the missing piece of evidence of the final cause of the impact. Current evidence and analysis indicates that the missing component was direct interaction from the adversary and not the work of malware.”

The complexity of the attack is what raises concerns and has prompted calls for infrastructure operators to start taking the issue of cyber security much more seriously.

“It is probably the first time that we have seen something so sophisticated,” said IET cyber-security expert Hugh Boyes. “Until now there have been incidents like malware getting onto a system or a denial of service attack but not a coupling of several different modes of attack. This is clearly raising the stakes.”

ICS-CERT said that over the past year, they have registered a growing number of attacks attempting to penetrate industrial control system networks. These systems, essentially computers used to control operations of industrial processes, frequently run outdated software, which is difficult to patch. Moreover, for convenience and operational reasons, these systems are often directly connected to the Internet in the same way as ordinary PCs, making them extremely vulnerable.

“I am very dismayed at the accessibility of some of these networks,” said Marty Edwards, head of the ICS-CERT team, at a cyber-security conference in Miami. “They are just hanging right off the tubes.”

In fact, BlackEnergy 3, the malware associated with the Ukrainian power hack, was found last year in computer networks of some US critical infrastructure operators.
The BlackEnergy trojan has been around since 2007. Originally used for denial-of-service attacks, the malware has undergone a significant evolution. Plugins have emerged over the years enabling it to download custom spam or steal banking information. The Russian Sandworm group, first exposed in 2014, has adopted it for cyber-espionage. Cyber-security researchers said the group has been increasingly using the malware on Ukrainian and European targets throughout 2015.

“Industry experts have been talking about how cyber-attacks could directly affect the power grid for a long time, so it shouldn’t be a surprise that it’s now actually occurred,” said Tim Erlin from Oregon-based cyber-security firm Tripwire.

“Energy companies need to invest in securing their infrastructure, from control systems to corporate IT. Investment isn’t just about buying products. It’s about people, skills and process.”

Human factors pose a considerable risk. In a similar way to the Ukrainian case, where the BlackEnergy malware penetrated the network via a simple phishing scam, attackers frequently target users’ weaknesses, including too simple passwords.

Boyes believes that companies would benefit from conducting regular cyber-security drills similar to fire alarm exercises.

“Infrastructure companies would clearly benefit from doing regular exercises to ensure that staff across the board are fully prepared and know what to do in response to such an attack,” he commented.

“In the wake of the Ukrainian power hack, we have to ask the question whether we are doing enough to protect our systems. Looking ahead, with the rise of the Internet of Things, these issues will become more widespread as many of these systems are at present not designed with security in mind.”

Ukraine’s state security agency SBU also blamed the blackout on Russia, and the country’s Ministry of Energy has set up a commission to investigate the breach.