Cyber Attack Caused Massive Power Outage

Around two years ago I wrote at Terrorism and the Electric Power Delivery System posting that Electrical grid is said to be vulnerable to terrorist attack. I can agree that electrical power distribution network would be quite vulnerable if someone tries to sabotage it and knows what to do. I know this because I design software and hardware for control systems for electrical companies.

Now it seems that cyber-terrorism hitting electrical power networks is reality: Ukraine blackout is a cyberattack milestone a first for hackers with ill intent. Hackers likely caused a Dec. 23 electricity outage in Ukraine by remotely switching breakers to cut power, after installing malware to prevent technicians from detecting the attack. Hundreds of thousands of homes in the Ivano-Frankivsk region of the country were left without electricity as a result of the attack on December 23.

Experts widely describe the incident as the first known power outage caused by a cyber attack. For some time there has some news and theories that blackout could be caused by cyber-attack, and now it seems to be confirmed by SANS ICS . After analyzing the information that has been made available by affected power companies, researchers, and the media it is clear that cyber attacks were directly responsible for power outages in Ukraine. It seem to be pretty clear that the incident was due to a coordinated intentional attack. It looks like the attack was enabled via malware but consisted of at least three distinct efforts. There was malware and possible direct remote access to blind system dispatchers that were used to cause undesirable state changes to the distribution electricity infrastructure (direct interaction from the adversary). There was also   attempt to delay the restoration by wiping SCADA server. There was also a denial of service to the phone systems. This was a multi-pronged attack against multiple facilities. Security researchers at antivirus provider ESET stated that Ukrainian power companies were infected with “BlackEnergy” malware which can install KillDisk malware or make use of a SSH backdoor to provide attackers with remote access.

ESET stated that the power authorities were hit with malware via social engineering after using malicious macro functions in Microsoft Office documents. This attack is a rare public example of hackers taking out critical infrastructure and another sign of the rising digitization of warfare.

It’s a milestone because we’ve definitely seen targeted destructive events against energy before—oil firms, for instance—but never the event which causes the blackout. What is now true is that a coordinated cyber attack consisting of multiple elements is one of the expected hazards (electric utilities) may faceWe need to learn and prepare ourselves to detect, respond, and restore from such events in the future.

In this case The utility’s operators were able to quickly recover by switching to manual operations, essentially disconnecting infected workstations and servers from the grid.  If the perator would not have that manual control option, the blackout could have lasted longer and/or been larger.

This is exactly how the next big shit will go down. Take out electricity for more than 24h, you stop a city. 48h and there’s riots. 72h, people start to die. A week, even the Reserve/Army/National Guard will have trouble containing. A month, thousands die. As a community the power industry is dedicated to keeping the lights on. Maybe this right here is what we should be afraid of: Solar flares, cyberattacks, anything that can compromise our power grid.

Sources:

Confirmation of a Coordinated Attack on the Ukrainian Power Grid

Hackers used malware to confuse utility in Ukraine outage – report

First known hacker-caused power outage signals troubling escalation

Ukraine Claims Hackers Caused Christmas Power Outage

Ukraine Power Outages Caused By Malware, Say Researchers

Potential Sample of Malware from the Ukrainian Cyber Attack Uncovered

30 Comments

  1. Tomi Engdahl says:

    Malware wasn’t sole cause of Ukraine power station outage
    http://www.computerworld.com/article/3020732/security/malware-wasnt-sole-cause-of-ukraine-power-station-outage.html?token=%23tk.CTWNLE_nlt_computerworld_security_2016-01-11&idg_eid=051598d6597df87056c54033166b3242&utm_source=Sailthru&utm_medium=email&utm_campaign=Computerworld%20Security%202016-01-11&utm_term=computerworld_security#tk.cw_nlt_computerworld_security_issues_2016-01-11

    Credit: IDGNS
    The attackers manually intervened to open breakers that caused power outages

    A new study of a cyberattack last month against Ukrainian power companies suggests malware didn’t directly cause the outages that affected at least 80,000 customers.
    career work stability direction growth future looking foward telescope
    IT careers: How long should you stay in your job?

    As paychecks grow, tenure shrinks among today’s top techies. And that trend is leaving many to wonder
    Read Now

    Instead, the malware provided a foothold for key access to networks that allowed the hackers to then open circuit breakers that cut power, according to information published Saturday by the SANS Industrial Control Systems (ICS) team.

    Experts have warned for years that industrial control systems used by utilities are vulnerable to cyberattacks. The Dec. 23 attacks in Ukraine are the most prominent example yet of those fears coming to fruition.

    SANS ICS said the attacks demonstrated planning and coordination. Tensions between Ukraine and Russia have been high since Russia annexed Crimea in 2014.

    While malware was used to gain access to networks, the attackers also used direct intervention to try to mask their actions to the power systems operators, SANS ICS said.

    The attacks reportedly affected two service providers — Prykarpattyaoblenergo and Kyivoblenergo, the latter of which said in a service update that 80,000 customers after 30 substations went offline, SANS ICS said.

    On Thursday, security firm iSight Partners of Dallas said that malware has been used in the past by a group with strong Russian interests nicknamed the Sandworm Team.

    Reply
  2. Tomi Engdahl says:

    Sandworm Team and the Ukrainian Power Authority Attacks
    http://www.isightpartners.com/2016/01/ukraine-and-sandworm-team/

    “After analyzing the information that has been made available by affected power companies, researchers, and the media it is clear that cyber attacks were directly responsible for power outages in Ukraine. The SANS ICS team has been coordinating ongoing discussions and providing analysis across multiple international community members and companies. We assess with high confidence based on company statements, media reports, and first-hand analysis that the incident was due to a coordinated intentional attack.”

    The SANS ICS blog confirms conclusions previously reached by iSIGHT regarding the nature of the Ukrainian attacks (specifically the role of destructive malware and phone disruption) and attribution to Sandworm Team. iSIGHT Partners believes this incident is a milestone because it is the first major cyber attack to substantially affect the civilian population and because of the overwhelming importance of the grid to multiple reliant sectors. Furthermore, Sandworm Team’s previous interest in US and European critical systems underscores the threat they pose (see below for more on Sandworm Team.)

    Sandworm Team – Historical Targeting of Ukraine and Interest in SCADA Systems

    Since last week, iSIGHT Partners has worked to provide details on the power outage in Ukraine to our global customers. We have analyzed the forensic evidence we have been able to obtain from the region, contextualizing it within our knowledge of cyber espionage actors. Many details of the event remain unknown, and given the nature of the incident, especially the use of destructive malware, we do not anticipate every detail will be exposed.

    However, we have linked Sandworm Team to the incident, principally based on BlackEnergy 3, the malware that has become their calling card.

    Outlook

    A cyber attack of this nature is a milestone –although a predictable one. The aggressive nature of Sandworm Team’s previous activity in Europe and the United States exposed their interest in targeting critical systems and indicated preparation for cyber attack. Targeting of critical entities in Ukraine throughout 2015, during a time of war, further presaged a desire to disrupt infrastructure.

    Reply
  3. Tomi Engdahl says:

    SCADA “Selfies” a Big Give Away To Hackers
    http://it.slashdot.org/story/16/01/19/0310229/scada-selfies-a-big-give-away-to-hackers

    The world’s governments are on notice that their critical infrastructure is vulnerable after an apparent cyberattack darkened 80,000 households in three regions of Ukraine last month. But on the question of safeguarding utilities, operators of power plants, water treatment facilities, and other industrial operations might do well to worry more about Instagram than hackers, according to a report by Christian Science Monitor Passcode. Speaking at a gathering of industrial control systems experts last week, Sean McBride of the firm iSight Partners said that social media oversharing is wellspring of information that could be useful to attackers interested in compromising critical infrastructure. Among the valuable information he’s found online: workplace selfies on Instagram and Facebook that reveal details of supervisory control and data acquisition, or SCADA, systems.

    “No SCADA selfies!” said Mr. McBride at the S4 Conference in Miami Thursday. “Don’t make an adversary’s job easier.” iSight has found examples of SCADA selfies at sensitive facilities and warns that such photos may unwittingly reveal critical information that operators would prefer to keep secret.

    Worried about cyberattacks on US power grid? Stop taking selfies at work
    http://www.csmonitor.com/World/Passcode/2016/0115/Worried-about-cyberattacks-on-US-power-grid-Stop-taking-selfies-at-work?cmpid=TW

    Experts warn that malicious hackers gain valuable insight when companies and employees reveal too much information on the Web – especially when they work at sensitive facilities.

    The world’s governments are on notice that their critical infrastructure is vulnerable after an apparent cyberattack darkened 80,000 households in three regions of Ukraine last month.

    Social media oversharing is wellspring of information that could be useful to attackers interested in compromising critical infrastructure, said Sean McBride, senior threat intelligence analyst at iSight Partners. Among the valuable information he’s found online: workplace selfies on Instagram and Facebook that reveal details of supervisory control and data acquisition, or SCADA, systems.

    iSight has found numerous examples of SCADA selfies at sensitive facilities and warns that such photos may unwittingly reveal critical information that operators would prefer to keep secret. The firm’s researchers have also discovered panoramic pictures of control room and video walk-throughs of facilities.

    In addition to posting videos and photos on the Web, corporate websites can divulge valuable information to adversaries. For instance, organization charts or lists of employees with contact information accessible via the utility website are valuable sources of information for would-be attackers, says McBride.

    These kinds of easily accessible images have aided critical infrastructure attacks in the past.

    In 2011, industrial control systems expert Ralph Langner used an image of a SCADA control system monitor in one of the photos to match the configuration of the Natanz centrifuges to configuration information in the Stuxnet malicious software created to hobble the facility.

    Today, McBride said that he and fellow researchers have used open-source information from media, government, and private sources to identify 15 facilities in the US that are critical to the operation of the electric grid.

    McBride suggested that critical infrastructure operators think like hackers before posting photos online: “Ask yourself, ‘What do my adversaries know about me and the organizations I support.’ “

    Reply
  4. Tomi Engdahl says:

    Russian hackers behind the Ukrainian power outages

    The Russians represent the cutting edge of cyber attacks

    Group managed to cut off the electricity of about 80 000 Ukrainian for more than six hours.

    The Register quotes SANS magazine’s experts, according to which the status of seven 110 kV and twenty-three 35 kV the role went bust due to cyber attacks.

    Malware succeeded in breaking the centers SCADA control software, as well as shut down the phone connections. Malware has been identified as Black Energy-name

    Source: http://etn.fi/index.php?option=com_content&view=article&id=3843:venalaishakkerit-ukrainan-sahkokatkosten-takana&catid=13&Itemid=101

    Reply
  5. Tomi Engdahl says:

    Eduard Kovacs / SecurityWeek:
    Attackers using Word documents to deliver BlackEnergy malware linked to recent attacks targeting Ukraine’s critical infrastructure

    Attackers Use Word Docs to Deliver BlackEnergy Malware
    http://www.securityweek.com/attackers-use-word-docs-deliver-blackenergy-malware

    The advanced persistent threat (APT) actor behind the recent attacks targeting Ukraine has started delivering BlackEnergy malware using specially crafted Word documents with embedded macros.

    BlackEnergy malware, which is leveraged by one or multiple groups, has become increasingly sophisticated and its operators have been using it to target energy and ICS/SCADA companies from across the world. A recent campaign involving BlackEnergy malware has been seen targeting Ukraine’s critical infrastructure.

    A coordinated attack launched against the country’s energy sector in December resulted in power outages in the Ivano-Frankivsk region. Investigators found BlackEnergy malware on infected systems, along with a destructive plugin known as KillDisk that is designed to delete data and make systems inoperable. However, experts believe the malware is not directly responsible for the outages, and instead it only helped attackers cover their tracks and make it more difficult to restore service.

    Ukrainian security firm Cys Centrum reported last year that the attackers had leveraged PowerPoint presentations to deliver the malware. In mid-2015, threat actors started using specially crafted Excel spreadsheets with embedded macros to drop the Trojan onto targeted systems.

    Reply
  6. Tomi Engdahl says:

    The effects of a hacked power grid
    http://www.edn.com/electronics-blogs/powersource/4441387/The-effects-of-a-hacked-power-grid?_mc=NL_EDN_EDT_EDN_weekly_20160211&cid=NL_EDN_EDT_EDN_weekly_20160211&elqTrackId=fa23901aa29646f9afdf9e4c56a5e872&elq=47c0069f95944aad8205fdc33fe9724d&elqaid=30798&elqat=1&elqCampaignId=26939

    Oil and gas, water and electric power rely on SCADA (supervisory control and data acquisition), protection, and monitoring systems that use communications networks. The use of communications networks makes these systems potentially vulnerable to cyberattack.1

    A power blackout in the Ukraine recently affected about 1.4 million people using an espionage Trojan known as BlackEnergy. The attack looks to be first time that malware has been used to create a large-scale power disruption.

    The power grid failure took down nearly a quarter of the country’s power for several hours. This type of cyber threat is now becoming more of a reality as power delivery and technology continue to merge.

    Today, utilities are faced with a confusing array of cybersecurity guidance, standards, and regulatory requirements.

    Keeping The Lights On — And Hackers From Crossing The Power Lines
    http://graduatedegrees.online.njit.edu/msee-resources/msee-infographics/keeping-the-lights-on-and-hackers-from-crossing-the-power-lines/

    The electric grid in the United States suffers from multiple issues, including inefficiency and high cost. Smart technologies have been touted to solve these and other operational difficulties. Yet, a shift can bring its own problems as well. Mixing power delivery with digital technologies opens up the possibility of disruptions caused by malicious entities. This threat must be seriously considered and mitigated with a carefully crafted strategy.

    Reply
  7. Tomi Engdahl says:

    Techie on the ground disputes BlackEnergy Ukraine power outage story
    And Russia? That’s too convenient
    http://www.theregister.co.uk/2016/01/27/ukraine_blackenergy_analysis/

    A Ukrainian telecoms engineer has raised doubts about the widely reported link between BlackEnergy attacks and power outages in his country.

    Illia Ilin said that reports suggesting Russian state sponsored hackers used the BlackEnergy malware to infect the control systems of energy distribution utilities and cause blackouts last month are at odds with what he’s seeing on the ground. He suggested Ukrainian government officials might be whipping up stories about outages for propaganda reasons amidst the backdrop of ongoing conflict with the Russians, particularly in eastern Ukraine.

    “First of all, there [weren't] any blackouts in Boryspil (KBP),” Illia, who works as a network engineer in a provincial telecommunications firm in Ukraine, told El Reg. “I have not found any news about it on official KBP site or CERT-UA (Computer Emergency Response Team of Ukraine) site.

    “Our Ukrainian mass media informed [us] that only one workstation had been infected. Of course, in common Ukrainian news practice, mass media point [at] Russian aggression (when any strange situation happens – blame the Russians); they even informed [us that it had come from a] ‘Russian server’, but on CERT-UA news about this situation there are no Russian IP addresses.”

    Illia asked: “If they have proof – why don’t they make them public?”

    The role of BlackEnergy in the reported power outages in the Ukraine has garnered worldwide attention because, if confirmed, it would be the first incident of hackers taking down a power grid. It’s worth remembering that squirrels routinely cause power outages but the Ukraine case is nonetheless interesting because it underlines concerns about the robustness of industrial control systems responsible for delivering electricity into homes across the world.

    Reply
  8. Tomi Engdahl says:

    KillDisk and BlackEnergy Are Not Just Energy Sector Threats
    http://blog.trendmicro.com/trendlabs-security-intelligence/killdisk-and-blackenergy-are-not-just-energy-sector-threats/

    Our new intelligence on BlackEnergy expands previous findings on the first wide-scale coordinated attack against industrial networks. Based on our research that we will further outline below, attackers behind the outages in two power facilities in Ukraine in December likely attempted similar attacks against a mining company and a large railway operator in Ukraine.

    This proves that BlackEnergy has evolved from being just an energy sector problem; now it is a threat that organizations in all sectors—public and private—should be aware of and be prepared to defend themselves from. While the motivation for the said attacks has been the subject of heavy speculation, these appear to be aimed at crippling Ukrainian public and criticial infrastructure in what could only be a politically motivated strike.

    During the course of our investigation, we saw an overlap between the BlackEnergy samples used in the Ukrainian power incident and those apparently used against the Ukrainian mining company.

    Similar Malware in a Large Ukrainian Train/Railway Operator

    Like the attacks against the Ukrainian mining company, we also witnessed KillDisk possibly being used against a large Ukrainian railway company that is part of the national Ukrainian railway system.

    Reply
  9. Tomi Engdahl says:

    The effects of a hacked power grid
    http://www.edn.com/electronics-blogs/powersource/4441387/The-effects-of-a-hacked-power-grid?_mc=NL_EDN_EDT_EDN_weekly_20160211&cid=NL_EDN_EDT_EDN_weekly_20160211&elqTrackId=fa23901aa29646f9afdf9e4c56a5e872&elq=47c0069f95944aad8205fdc33fe9724d&elqaid=30798&elqat=1&elqCampaignId=26939

    Oil and gas, water and electric power rely on SCADA (supervisory control and data acquisition), protection, and monitoring systems that use communications networks. The use of communications networks makes these systems potentially vulnerable to cyberattack.1

    A power blackout in the Ukraine recently affected about 1.4 million people using an espionage Trojan known as BlackEnergy. The attack looks to be first time that malware has been used to create a large-scale power disruption.

    Keeping The Lights On — And Hackers From Crossing The Power Lines
    http://graduatedegrees.online.njit.edu/msee-resources/msee-infographics/keeping-the-lights-on-and-hackers-from-crossing-the-power-lines/

    Reply
  10. Tomi Engdahl says:

    US: Sophisticated attackers hacked Ukrainian electric grid
    http://goo.gl/oYbNc3

    A U.S. investigation found that a December hack on the Ukrainian power grid was coordinated and highly sophisticated.

    The well-planned strike, which blacked out more than 225,000 people, hit three regional electronic power distribution companies within 30 minutes of each other on Dec. 23.

    An attack such as this one has long been a nightmare scenario for top U.S. officials.

    The impacted sites continue to “run under constrained operations” more than two months later. In addition, the report states that three other organizations, some involved with unspecified Ukrainian “critical infrastructure,” also appear to have been hacked — but didn’t suffer overt impacts to their operations.

    The hackers appeared to conduct “extensive reconnaissance of the victim networks,” possibly by first using malware introduced via phony “phishing” emails to snag usernames and passwords to access the facility remotely and hit their circuit breakers.

    The networks were compromised at least six months before the outage, by sending emails that included the downloader for the virus BlackEnergy to company employees whose emails were found publicly online

    At the end of the attack, hackers wiped targeted files on some of the systems at the three electrical companies using malware called “KillDisk,” which also rendered the system inoperable.

    The hackers also did their best to interfere with power-restoration efforts. For instance, they aimed to keep important servers inoperative by remotely disconnecting their “uninterruptable power supplies,”

    Reply
  11. Tomi Engdahl says:

    BlackEnergy malware activity spiked in runup to Ukraine power grid takedown
    But its role in the attack remains unclear
    http://www.theregister.co.uk/2016/03/04/ukraine_blackenergy_confirmation/

    Fresh research has shed new light on the devious and unprecedented cyber-attack against Ukraine’s power grid in December 2015.

    A former intelligence analyst has warned that launching similar attacks is within the capabilities of criminals, or perhaps even hacktivist groups, since most of the key components are readily available online.

    Zach Flom, an intelligence analyst at threat intelligence firm Recorded Future and a former US DoD computer network defense analyst, has published a study on the BlackEnergy malware, noting a spike in activity prior to the Ukraine attack that left more than 200,000 people temporarily without power on December 23.

    “In 2014, shortly after being picked up by APT [advanced persistent threat] groups and becoming more modular, we see a large spike in references to the malware and its increasing usage in European countries, namely Ukraine,” Flom notes.

    BlackEnergy has evolved from a “relatively simple” distributed denial-of-service attack tool of early 2007 to a highly capable blob of malware over the last eight years, according to Flom.

    The warning of potential future misuse of BlackEnergy comes days after a US government report concluded that the December 2015 power outage in Ukraine – which affected 225,000 customers – was caused by outside attackers.

    Representatives of the US Department of Homeland Security (DHS), Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) and other US government agencies traveled to Ukraine to collaborate and gain more insight into the attack.

    “The cyber-attack was reportedly synchronized and coordinated, probably following extensive reconnaissance of the victim networks. According to company personnel, the cyber-attacks at each company occurred within 30 minutes of each other and impacted multiple central and regional facilities. During the cyber-attacks, malicious remote operation of the breakers was conducted by multiple external humans using either existing remote administration tools at the operating system level or remote industrial control system (ICS) client software via virtual private network (VPN) connections. The companies believe that the actors acquired legitimate credentials prior to the cyber-attack to facilitate remote access.

    All three companies indicated that the actors wiped some systems by executing the KillDisk malware at the conclusion of the cyber-attack. The KillDisk malware erases selected files on target systems and corrupts the master boot record, rendering systems inoperable.”

    Malware ‘clearly’ behind Ukraine power outage, SANS utility expert says
    Mounting evidence attacks are handiwork of elite Russian hacker team.
    http://www.theregister.co.uk/2016/01/15/malware_clearly_behind_ukraine_power_outage_sans_utility_expert_says/

    Reply
  12. Tomi Engdahl says:

    Kim Zetter / Wired:
    Inside the Cunning, Unprecedented Hack of Ukraine’s Power Grid — It was 3:30 p.m. last December 23, and residents of the Ivano-Frankivsk region of Western Ukraine were preparing to end their workday and head home through the cold winter streets. Inside the Prykarpattyaoblenergo control center …

    Inside the Cunning, Unprecedented Hack of Ukraine’s Power Grid
    http://www.wired.com/2016/03/inside-cunning-unprecedented-hack-ukraines-power-grid/

    A Brilliant Plan

    The hackers who struck the power centers in Ukraine—the first confirmed hack to take down a power grid—weren’t opportunists who just happened upon the networks and launched an attack to test their abilities; according to new details from an extensive investigation into the hack, they were skilled and stealthy strategists who carefully planned their assault over many months, first doing reconnaissance to study the networks and siphon operator credentials, then launching a synchronized assault in a well-choreographed dance.

    “It was brilliant,” says Robert M. Lee, who assisted in the investigation. Lee is a former cyber warfare operations officer for the US Air Force and is co-founder of Dragos Security, a critical infrastructure security company. “In terms of sophistication, most people always [focus on the] malware [that’s used in an attack],” he says. “To me what makes sophistication is logistics and planning and operations and … what’s going on during the length of it. And this was highly sophisticated.”

    Ukraine was quick to point the finger at Russia for the assault. Lee shies away from attributing it to any actor but says there are clear delineations between the various phases of the operation that suggest different levels of actors worked on different parts of the assault. This raises the possibility that the attack might have involved collaboration between completely different parties—possibly cybercriminals and nation-state actors.

    “This had to be a well-funded, well-trained team. … [B]ut it didn’t have to be a nation-state,”

    Regardless, the successful assault holds many lessons for power generation plants and distribution centers here in the US, experts say; the control systems in Ukraine were surprisingly more secure than some in the US, since they were well-segmented from the control center business networks with robust firewalls. But in the end they still weren’t secure enough—workers logging remotely into the SCADA network, the Supervisory Control and Data Acquisition network that controlled the grid, weren’t required to use two-factor authentication, which allowed the attackers to hijack their credentials and gain crucial access to systems that controlled the breakers.

    Reply
  13. Tomi Engdahl says:

    Tips for secure remote access
    http://www.controleng.com/single-article/tips-for-secure-remote-access/1d404fa1ead37df62bc7067439d9fafc.html?OCVALIDATE&ocid=101781

    Remote access will become an even more vital element as the industry becomes more open and connected and secure communications can be a constant if the right steps are taken.

    As the industry continues its expansion into a more open and connected environment, remote access will become an even more vital element, but with the right strategies in place, secure communications should not be an issue.

    “There is no doubt control systems have evolved,” said Marco Ayala, senior industrial cybersecurity project manager at aeSolutions, during his presentation at the Siemens 2016 Automation Summit in Las Vegas. “We look at cyber as a huge piece of information. Workers need to ensure security is top of mind at all times. Are you monitoring? Are you logging? Are we saying information technology (IT) has it? Are we saying operational technology (OT) has it?”

    Ayala pointed at the attack on the Ukrainian power grid this past December as a perfect case in point about remote security.

    On December 23, 2015, power went out for a high number of customers (reports range from 80,000 customers to 700,000 homes) in the Western region of the Ukraine served by regional power distribution companies. These companies end up supplied by thermal power generation stations (the Ukraine also has a large amount of power generated from nuclear facilities, though not in this region).

    Attack details

    Here are components of the Ukrainian power grid attack:

    BlackEnergy (also known as DarkEnergy) is malware that has existed since 2008 and its modular components have morphed over time. In this incident, the third variant of BlackEnergy is a key vector that provided the attackers with access to the utilities’ computer networks and the ability to remotely communicate with them. This compromise and the resulting remote communications were probably not within the industrial control system (ICS) networks.

    One BlackEnergy component, known as KillDisk, has a wiping functionality that may have denied the use of the supervisory control and data acquisition (SCADA) system, delayed restoration and covered the perpetrators’ tracks. The actual hosts affected by KillDisk have yet to be disclosed.

    In addition, an attack on phone systems, possibly a denial of service (DoS) attack, prevented the utilities from receiving calls from customers reporting outages.

    Also, the electricity went out and restored the same day by field staff manually reclosing breakers at affected substations.

    “Attackers were on the system months before the attack,” Ayala said. “They took advantage of the SCADA systems and social engineering. (The utility) also failed to put in two-factor authentication on virtual private networks.

    Reply
  14. Tomi Engdahl says:

    Ukraine Power Grid Attacks Part of a 2-Year Campaign
    http://www.securityweek.com/ukraine-power-grid-attacks-part-2-year-campaign

    The December 2015 cyberattacks on Ukraine’s power grid were part of a long, multi-pronged campaign that targeted several of the country’s sectors, according to a new report from Booz Allen Hamilton.

    Attackers believed to be operating out of Russia used a combination of social engineering and malware to breach SCADA systems and disrupt power for roughly 230,000 Ukrainians.

    The two main pieces of malware used in this attack were the remote access Trojan known as BlackEnergy and KillDisk, a plugin designed to destroy files and make systems inoperable. However, researchers believe the attackers cut off the power supply by directly interacting with the system – KillDisk’s role was to make recovery more difficult.

    Researchers believe the attack on Ukraine’s energy sector started in May 2014 as part of a long-running campaign that involved several types of tools and at least 11 attacks aimed at the electricity, railway, media, mining and government sectors. The attacks against mining and railway systems were brought to light in February by security firm Trend Micro.

    According to Booz Allen Hamilton, the campaign started with spear-phishing emails sent in May 2014 to employees of the Prykarpattya electric utility, which was successfully targeted in the December 2015 attack.

    In August 2014, phishing emails carrying PowerPoint files designed to exploit a zero-day vulnerability in order to deliver BlackEnergy malware were sent to five Ukrainian regional governments and the state archive of Chernivtsi, another one of the regions targeted in the December 2015 power grid attack.

    The attacks targeting Ukraine’s energy sector continued even after December 2015. In mid-January, roughly 100 organizations, including many energy firms, received emails set up to deliver a Trojan dubbed “GCat.”

    Reply
  15. Tomi Engdahl says:

    This is happening again?

    Ukraine Power Outage Possibly Caused by Cyberattack
    http://www.securityweek.com/ukraine-power-outage-possibly-caused-cyberattack

    A cyberattack may have caused the power outage that occurred in Ukraine late on Saturday, according to the country’s national energy company Ukrenergo.

    In a statement published on its website on Sunday, Ukrenergo said the outage occurred on Saturday, near midnight, at the North (Petrivtsi) substation, causing blackouts in the capital city of Kiev and the Kiev region.

    Ukrenergo Acting Director Vsevolod Kovalchuk said workers switched to manual mode and started restoring power after 30 minutes. Power was fully restored after just over an hour, Kovalchuk said.

    The statement published by Ukrenergo names equipment malfunction and hacking as the possible causes. However, in a message posted on Facebook, Kovalchuk said the main suspect was “external interference through the data network.” The organization’s cybersecurity experts are investigating the incident.

    Roughly one year ago, the Ukrainian security service SBU accused Russia of causing outages with the aid of malware planted on the networks of several regional energy companies.

    In the 2015 attacks, power companies restored service within 3-6 hours by switching to manual mode, just like in the latest incident.

    Reply
  16. Tomi Engdahl says:

    Hackers Suspected of Causing Second Power Outage in Ukraine
    Tuesday, December 20, 2016 Swati Khandelwal
    http://thehackernews.com/2016/12/power-outage-ukraine.html

    The same group of hackers that caused the power outage across several regions in Ukraine last Christmas holidays might have once again shut down power supply in northern Ukraine during the weekend.

    According to Ukrainian energy provider Ukrenergo, a cyber attack on Kyiv’s power grid may have caused the power outages in the country on Saturday, December 17, near midnight.

    The blackout affected the northern part of Kiev, the country’s capital, and surrounding areas, Ukrenergo Director Vsevolod Kovalchuk explained in a post on Facebook.

    Shortly after the incident, Ukrenergo engineers switched to manual mode and started restoring power in approximately 30 minutes in an effort to deal with the cyber attack. Power was fully restored after just an hour and fifteen minutes of the blackout.

    The 2015 energy blackouts were caused with the help of a malware attack, known as BlackEnergy, which was distributed through boobytrapped Word documents and tricked recipients into enabling macros to activate the malicious payload.

    Last year, the Ukraine’s state security service SBU blamed Russia for causing outages by planting malware on the networks of several regional energy companies.

    Reply
  17. Tomi Engdahl says:

    Hackers Suspected of Causing Second Power Outage in Ukraine
    https://the-hacker-news-2016.blogspot.fi/2016/12/hackers-suspected-of-causing-second.html

    The same group of hackers that caused the power outage across several regions in Ukraine last Christmas holidays might have once again shut down power supply in northern Ukraine during the weekend.

    According to Ukrainian energy provider Ukrenergo, a cyber attack on Kyiv’s power grid may have caused the power outages in the country on Saturday, December 17, near midnight.

    The blackout affected the northern part of Kiev, the country’s capital, and surrounding areas, Ukrenergo Director Vsevolod Kovalchuk explained in a post on Facebook.

    Reply
  18. Tomi Engdahl says:

    Cyberattack suspected in Ukraine power outage
    Ukraine’s national power company investigates whether hacking caused blackout in Kiev
    http://www.pcworld.com/article/3152010/security/cyberattack-suspected-in-ukraine-power-outage.html

    Security experts are investigating whether a power outage that affected parts of the Ukrainian capital, Kiev, and the surrounding region this weekend was the result of a cyberattack. If confirmed, it would be the second blackout caused by hackers in Ukraine.

    The incident affected the automation control systems at the northern power substation near Novi Petrivtsi, a village near Kiev, close to midnight between Saturday and Sunday. This resulted in complete power loss for the northern part of Kiev on the right bank of the Dnieper river and the surrounding region.

    One suspected cause is “external interference through the data network,” Kovalchuk said. The company’s cybersecurity experts are investigating and will release a report.

    If the hacking is confirmed, this would be the second time that power has been disrupted in Ukraine because of a cyberattack.

    Reply
  19. Tomi Engdahl says:

    Hackers suspected of causing power outage in Ukraine
    https://hotforsecurity.bitdefender.com/blog/hackers-suspected-of-causing-power-outage-in-ukraine-17419.html

    This weekend houses and businesses in parts in the northern part of Kiev were plunged into darkness after the electricity supply was unexpectedly cut off.

    Authorities are investigating whether the unexpected power outage in Ukraine’s capital could be the latest in a series of hacking attacks which have struck the country’s electric grid and financial infrastructure in the last year.

    The impacted energy company, Kyivenergo, confirmed that the power outage was unplanned and that it had taken action to restore electricity to its customers. Indeed, it sounds like Kyivenergo did a good job – recovering from the power blackout and restoring energy to households and companies in little more than an hour after the incident.

    Hackers Suspected of Causing Second Power Outage in Ukraine
    https://checkthescience.com/news/1903567-hackers-suspected-causing-second-power-outage-ukraine

    The same group of hackers that caused the power outage across several regions in Ukraine last Christmas holidays might have once again shut down power supply in northern Ukraine during the weekend. According to Ukrainian energy provider Ukrenergo, a cyber attack on Kyiv’s power grid may have caused the power outages in the country on Saturday, December 17, near midnight. The blackout …

    Reply
  20. Tomi Engdahl says:

    Russian hacks into Ukraine power grids a sign of things to come for U.S.?
    http://www.cbsnews.com/news/russian-hacks-into-ukraine-power-grids-may-be-a-sign-of-things-to-come/

    Russian hacking to influence the election has dominated the news. But CBS News has also noticed a hacking attack that could be a future means to the U.S. Last weekend, parts of the Ukrainian capitol Kiev went dark. It appears Russia has figured out how to crash a power grid with a click.

    Vasyl Pemchuk is the electric control center manager, and said that when hackers took over their computers, all his workers could do was film it with their cell phones.

    “It was illogical and chaotic,” he said. “It seemed like something in a Hollywood movie.”

    The hackers sent emails with infected attachments to power company employees, stealing their login credentials and then taking control of the grid’s systems to cut the circuit breakers at nearly 60 substations.

    The suspected motive for the attack is the war in eastern Ukraine

    But hackers could launch a similar attack in the U.S.

    “We can’t just look at the Ukraine attack and go ‘oh we’re safe against that attack,’”

    the malicious software the hackers used has already been detected in the U.S.

    In Ukraine, they restarted the power in just hours. But an attack in the U.S. could leave people without electricity for days, or even weeks, according to experts. Because, ironically, America’s advanced, automated grid would be much harder to fix.

    “Even if we just lose a portion, right? If we have New York City or Washington D.C. go down for a day, two days, a week, what does life look like at that point?”

    Reply
  21. Tomi Engdahl says:

    Russian hackers reportedly attack Ukrainian weapons, power grid
    Power goes out while howitzers are hijacked.
    https://www.engadget.com/2016/12/22/russian-hackers-reportedly-attack-ukrainian-weapons-power-grid/

    As the conflict in Eastern Ukraine escalates, two separate reports point to Russian hackers disrupting the power grid and weapons in the war-torn country. Outside of Kiev, between 100,000 and 200,000 people were plunged into darkness when portions of the Ukrenergo power company were knocked offline on December 18. The electricity was quickly restored but the situation is raised concerns of infrastructure hacking.

    The director of the power company, Vsevolod Kovalchuk, told Defense One that he is 99 percent sure a deliberate attack caused the outage. The event is similar to another blackout last year that was reportedly pulled off by Russian hackers, Sandworm. So far there’s no direct connection between the hackers and the Russian military.

    Meanwhile it looks like an app built to help quickly target the D-30 howitzers used by the Ukrainian military was hijacked with malware that could have potentially shared the location of those large guns with Russia.

    CROWDSTRIKE GLOBAL INTELLIGENCE TEAM
    Copyright 2016
    USE OF FANCY BEAR ANDROID MALWARE IN TRACKING OF UKRAINIAN FIELD ARTILLERY UNITS
    https://www.crowdstrike.com/wp-content/brochures/FancyBearTracksUkrainianArtillery.pdf

    Reply
  22. Tomi Engdahl says:

    ‘Industroyer’ ICS Malware Linked to Ukraine Power Grid Attack
    http://www.securityweek.com/industroyer-ics-malware-linked-ukraine-power-grid-attack

    Researchers have conducted a detailed analysis of a piece of malware that appears to have been specially designed for cyberattacks targeting power grids. The malware is believed to have been used in the December 2016 attack aimed at an electrical substation in Ukraine.

    The malware was discovered by ESET, which has dubbed it Industroyer. The company has also shared some data with ICS cybersecurity company Dragos, which tracks it as CRASHOVERRIDE and the threat actor that uses it as ELECTRUM.

    Links to Ukraine power grid attacks

    Malware designed to specifically target industrial control systems (ICS) is rare – Industroyer is only the fourth such threat known to the cybersecurity community. The other ICS-tailored malware families are Stuxnet, used in the 2010 attack targeting Iranian nuclear facilities, BlackEnergy, used in the December 2015 Ukraine power grid attacks, and Havex, used mainly against organizations in Europe.

    While they could not confirm that Industroyer/CRASHOVERRIDE was the direct cause of the 2016 power outages in Ukraine’s Kiev region, which are believed by many to be the work of Russia, both ESET and Dragos – based on compilation dates and other data – are fairly confident that this is the malware used in the attack.

    Dragos believes the ELECTRUM actor has direct ties to the BlackEnergy (Sandworm) group, and ESET pointed out that while there are no code similarities between the malware used in the 2015 and 2016 Ukraine attacks, some components are similar in concept.

    Industroyer has been described as a sophisticated modular malware that has several components: a backdoor, a launcher, a data wiper, various tools, and at least four payloads. These payloads are the most interesting component as they allow the malware’s operators to control electric circuit breakers.

    Reply
  23. Tomi Engdahl says:

    Andy Greenberg / Wired:
    Experts warn that repeated cyberattacks on Ukraine, including mass power outages in Kiev, are evidence of Russia testing its offensive cyber capabilities

    How An Entire Nation Became Russia’s Test Lab for Cyberwar
    https://www.wired.com/story/russian-hackers-attack-ukraine

    Noting the precise time and the date, almost exactly a year since the December 2015 grid attack, Yasinsky felt sure that this was no normal blackout. He thought of the cold outside—close to zero degrees Fahrenheit—the slowly sinking temperatures in thousands of homes, and the countdown until dead water pumps led to frozen pipes.

    That’s when another paranoid thought began to work its way through his mind: For the past 14 months, Yasinsky had found himself at the center of an enveloping crisis. A growing roster of Ukrainian companies and government agencies had come to him to analyze a plague of cyberattacks that were hitting them in rapid, remorseless succession. A single group of hackers seemed to be behind all of it. Now he couldn’t suppress the sense that those same phantoms, whose fingerprints he had traced for more than a year, had reached back, out through the internet’s ether, into his home.

    The Cyber-Cassandras said this would happen. For decades they warned that hackers would soon make the leap beyond purely digital mayhem and start to cause real, physical damage to the world. In 2009, when the NSA’s Stuxnet malware silently accelerated a few hundred Iranian nuclear centrifuges until they destroyed themselves, it seemed to offer a preview of this new era. “This has a whiff of August 1945,” Michael Hayden, former director of the NSA and the CIA, said in a speech. “Somebody just used a new weapon, and this weapon will not be put back in the box.”

    Now, in Ukraine, the quintessential cyberwar scenario has come to life. Twice. On separate occasions, invisible saboteurs have turned off the electricity to hundreds of thousands of people. Each blackout lasted a matter of hours, only as long as it took for scrambling engineers to manually switch the power on again. But as proofs of concept, the attacks set a new precedent: In Russia’s shadow, the decades-old nightmare of hackers stopping the gears of modern society has become a reality.

    And the blackouts weren’t just isolated attacks. They were part of a digital blitzkrieg that has pummeled Ukraine for the past three years—a sustained cyber­assault unlike any the world has ever seen.

    Reply
  24. Tomi Engdahl says:

    Watch Hackers Take Over the Mouse of a Power-Grid Computer
    https://www.wired.com/story/video-hackers-take-over-power-grid-computer-mouse

    The best work of hackers tends to remain invisible. But when sophisticated intruders broke into the computer networks of regional energy firms in Ukraine in 2015 and cut power to roughly a quarter million people, their tampering didn’t go unnoticed. In this rare instance, the staff of one of those electric utilities managed to capture the hackers’ handiwork on video, which you can watch

    Two days before Christmas in 2015, engineers at the Prykkarpatyaoblenergo regional energy company in Western Ukraine found themselves locked out of their PCs. More troubling still, their mouse cursors moved of their own accord. The workers watched as hackers methodically clicked on circuit breakers in their grid operation software, each time opening the breakers and cutting power to another swath of the region.

    In the process of reporting our cover story on those blackouts— and the larger cyberwar affecting Ukraine—WIRED obtained a video that one of those engineers shot with his iPhone, recording a “phantom mouse” attack as it happened.

    In WIRED’s investigation of that breach and another blackout that occurred in Ukraine a year later, we’ve tracked the evolution of those hackers: How they’ve graduated to using a digital weapon known as CrashOverride that can trigger Stuxnet-style automated attacks on infrastructure

    Reply
  25. Tomi Engdahl says:

    ‘Crash Override’: The Malware That Took Down a Power Grid
    https://www.wired.com/story/crash-override-malware/

    At midnight, a week before last Christmas, hackers struck an electric transmission station north of the city of Kiev, blacking out a portion of the Ukrainian capital equivalent to a fifth of its total power capacity. The outage lasted about an hour—hardly a catastrophe. But now cybersecurity researchers have found disturbing evidence that the blackout may have only been a dry run. The hackers appear to have been testing the most evolved specimen of grid-sabotaging malware ever observed in the wild.

    Cybersecurity firms ESET and Dragos Inc. plan today to release detailed analyses of a piece of malware used to attack the Ukrainian electric utility Ukrenergo

    CRASHOVERRIDE
    https://dragos.com/blog/crashoverride/

    Today the Dragos, Inc. team is releasing a report titled CRASHOVERRIDE: Analyzing the Malware that Attacks Power Grids. CRASHOVERRIDE is a malware framework that has not been disclosed before today but is the capability used in the cyber-attack on the Ukraine electric grid in 2016 (not the 2015 attack). Dragos can also confirm that we are tracking the adversary group behind the attack as ELECTRUM and can assess with high confidence the group has direct ties to the Sandworm Team which targeted infrastructure companies in the United States and Europe in 2014 and Ukraine electric utilities in 2015.

    Reply
  26. Tomi Engdahl says:

    Industroyer: Biggest threat to industrial control systems since Stuxnet
    https://www.welivesecurity.com/2017/06/12/industroyer-biggest-threat-industrial-control-systems-since-stuxnet/

    The 2016 attack on Ukraine’s power grid that deprived part of its capital, Kiev, of power for an hour was caused by a cyberattack. ESET researchers have since analyzed samples of malware, detected by ESET as Win32/Industroyer, capable of performing exactly that type of attack.

    Whether the same malware was really involved in what cybersecurity experts consider to have been a large-scale test is yet to be confirmed. Regardless, the malware is capable of doing significant harm to electric power systems and could also be refitted to target other types of critical infrastructure.

    Figure 1: Scheme of Industroyer operation

    Industroyer is a particularly dangerous threat, since it is capable of controlling electricity substation switches and circuit breakers directly. To do so, it uses industrial communication protocols used worldwide in power supply infrastructure, transportation control systems, and other critical infrastructure systems (such as water and gas).

    The recent power outage occurred on December 17th, 2016, almost exactly one year after the well-documented cyberattack that caused a blackout that affected around 250,000 households in several regions in Ukraine on December 23rd, 2015.

    In 2015, the perpetrators infiltrated the electricity distribution networks with the BlackEnergy malware, along with KillDisk and other malicious components, and then abused legitimate remote access software to control operators’ workstations and to cut off power. Aside from targeting the Ukrainian power grid, there are no apparent similarities in code between BlackEnergy and Industroyer.

    What sets Industroyer apart from other malware targeting infrastructure is its use of four payload components, which are designed to gain direct control of switches and circuit breakers at an electricity distribution substation.

    Each of these components targets particular communication protocols specified in the following standards: IEC 60870-5-101, IEC 60870-5-104, IEC 61850, and OLE for Process Control Data Access (OPC DA).

    Generally, the payloads work in stages whose goals are mapping the network, and then figuring out and issuing commands that will work with the specific industrial control devices. Industroyer’s payloads show the authors’ deep knowledge and understanding of industrial control systems.

    Reply
  27. Tomi Engdahl says:

    How An Entire Nation Became Russia’s Test Lab for Cyberwar
    https://www.wired.com/story/russian-hackers-attack-ukraine/

    Reply
  28. Tomi Engdahl says:

    Report Released on Malware Designed to Attack Electric Grids
    http://www.tdworld.com/grid-security/report-released-malware-designed-attack-electric-grids?NL=TDW-01&Issue=TDW-01_20170614_TDW-01_465&sfvc4enews=42&cl=article_2_b&utm_rid=CPG04000001994923&utm_campaign=14476&utm_medium=email&elq2=6f834e846d264b98ad4269ae9061b116

    Researchers have discovered the malware capability used in the Dec. 17, 2016, cyber-attack on a Ukraine transmission substation that resulted power outages in Kiev. ESET, a Slovakian anti-virus software maker, and Dragos Inc, a U.S. critical-infrastructure security firm, released an industry report to inform the electric sector and security community of the potential implications of the malware.

    The two firms said they did not know who was behind the cyber attack. Ukraine has blamed Russia, though officials in Moscow have repeatedly denied blame, according to a Reuters report. Still, the firms warned that there could be more attacks using the same approach, either by the group that built the malware or copycats who modify the malicious software.

    “There are concerning scenarios in how this malware can be leveraged to disrupt grid operations that would result in hours of outages at targeted locations leading into a few days if done at multiple sites,” said Robert M. Lee in a Dragos blog.

    CRASHOVERRIDE
    https://dragos.com/blog/crashoverride/

    Today the Dragos, Inc. team is releasing a report titled CRASHOVERRIDE: Analyzing the Malware that Attacks Power Grids. CRASHOVERRIDE is a malware framework that has not been disclosed before today but is the capability used in the cyber-attack on the Ukraine electric grid in 2016 (not the 2015 attack). Dragos can also confirm that we are tracking the adversary group behind the attack as ELECTRUM and can assess with high confidence the group has direct ties to the Sandworm Team which targeted infrastructure companies in the United States and Europe in 2014 and Ukraine electric utilities in 2015.

    The purpose of this blog is to introduce some high-level items for everyone to be aware of (especially those that do not have time to read the full report).

    The electric grid is extremely reliable. CRASHOVERRIDE represents alarming tradecraft and the ability to disrupt operations, but the public must understand that the outages could be in hours or days not in weeks or months. The electric grid operators train regularly to restore power for similar sized events such as weather storms. The first thank you that needs publicly stated is to those men and women responsible for having put the electric grid into a defensible situation through their dedication to reliability and safety of electric power.
    The Slovakian anti-virus firm ESET informed Dragos on June 8th, 2017 that they would be releasing their report on June 12th on a piece of malware they identify as “Industroyer.” The request was to validate findings to reporters they were speaking to because Dragos has subject matter experts focused on ICS security.

    Dragos was able to confirm much of ESET’s analysis and leveraged the digital hashes to find other undisclosed samples and connections to a group we are tracking internally as ELECTRUM. Because of the new functionality, connections to the threat group, numerous references to crash.dll in the malware, and our analysis that this is not industry-wide focused but specific to electric grid operations led the team named this malware CRASHOVERRIDE.
    The CRASHOVERRIDE malware is a framework that has modules specific to ICS protocol stacks including IEC 101, IEC 104, IEC 61850, and OPC. It is designed to allow the inclusion of additional payloads such as DNP3 but at this time no such payloads have been confirmed. The malware also contains additional non-ICS specific modules such as a wiper to delete files and processes off of the running system for a destructive attack to operations technology gear (not physical destruction of grid equipment).

    The modules in CRASHOVERRIDE are leveraged to open circuit breakers on RTUs and force them into an infinite loop keeping the circuit breakers open even if grid operators attempt to shut them. This is what causes the impact of de-energizing the substations. Grid operators could go back to manual operations to alleviate this issue.

    The CRASHOVERRIDE malware appears to have not used all of its functionality and modules, and it appears the Kiev transmission substation targeted in 2016 may have been more of a proof of concept attack than a full demonstration of the capability in CRASHOVERRIDE.

    CRASHOVERRIDE’s wiper searches for specific ABB files to delete off of a system, however, there are no vulnerabilities in ABB that this malware takes advantage of

    ESET’s report cites a Siemens SIPROTEC denial of service based on a publicly disclosed 2015 vulnerability. However, we cannot confirm the existence of this module.

    There are concerning scenarios in how this malware can be leveraged to disrupt grid operations that would result in hours of outages at targeted locations leading into a few days if done at multiple sites. However, it is important to know this is not a catastrophic scenario; there is no evidence the ELECTRUM actors could use CRASHOVERRIDE to do more than a few days of outages, and even to get a few days, would require the targeting of multiple sites simultaneously which is entirely possible but not trivial.

    Indicators of compromise for the CRASHOVERRIDE malware can be found in the industry report. Indicators of compromise are available, but the most important thing for security teams to watch for is malicious behaviors and set patterns associated with the ICS communications.

    Reply

Leave a Comment

Your email address will not be published. Required fields are marked *

*

*