U.S. Cybersecurity Super Team Reveals How Attackers Prompted Ukraine Blackouts

External malicious actors deployed a “synchronized and coordinated” cyberattack to prompt the large-scale blackout in Ukraine last December, a U.S. interagency team has confirmed.

The event on December 23, 2015— the world’s first power blackout prompted by a cyberattack—saw a swathe of unscheduled power outages afflict three regional power distribution companies (called the “Oblenergos”) and cut the lights for about 225,000 customers.

It was caused by remote cyber intrusions, the Industrial Control Systems Cyber Emergency Report Team (ICS-CERT) said in a February 25 report.

Following reports that malware was discovered on the distribution companies’ computer networks, a U.S. team comprising members from the National Cybersecurity and Communications Integration Center, ICS-CERT, the U.S. Computer Emergency Readiness Team, the Department of Energy, the Federal Bureau of Investigation, and the North American Electric Reliability Corp. flew to Ukraine to gain more insight into the event.

The ICS-CERT report notes that although power has been restored, “all the impacted Oblenergos continue to run under constrained operations. In addition, three other organizations, some from other critical infrastructure sectors, were also intruded upon but did not experience operational impacts.”

How They Probably Did it

Through interviews with six Ukrainian organizations “with first-hand experience of the event,” the team pieced together that the cyberattack was “synchronized and coordinated, probably following extensive reconnaissance of the victim networks.”

The attacks at each company occurred within 30 minutes of each other and affected multiple central and regional facilities. During the attacks, several humans remotely operated the breakers using either existing remote administration tools at the operating system level or remote industrial control system (ICS) client software via virtual private network connections. “The companies believe that the actors acquired legitimate credentials prior to the cyber-attack to facilitate remote access,” the report reveals.

“All three companies indicated that the actors wiped some systems by executing the KillDisk malware at the conclusion of the cyber-attack. The KillDisk malware erases selected files on target systems and corrupts the master boot record, rendering systems inoperable. It was further reported that in at least one instance, Windows-based human-machine interfaces (HMIs) embedded in remote terminal units were also overwritten with KillDisk.”

Significantly, the attackers also rendered Serial-to-Ethernet devices at substations inoperable by corrupting their firmware. “In addition, the actors reportedly scheduled disconnects for server Uninterruptable Power Supplies (UPS) via the UPS remote management interface. The team assesses that these actions were done in an attempt to interfere with expected restoration efforts.”

BlackEnergy Role Is Still Unknown

In the immediate aftermath of the attacks, security specialists had suspected intrusions were carried out using BlackEnergy malware family. However, the team’s report suggests it is not known whether the malware played a role in the attacks.

“The malware was reportedly delivered via spear phishing emails with malicious Microsoft Office attachments. It is suspected that BlackEnergy may have been used as an initial access vector to acquire legitimate credentials; however, this information is still being evaluated. It is important to underscore that any remote access Trojan could have been used and none of BlackEnergy’s specific capabilities were reportedly leveraged.”

What That Means for the Operators of Industrial Control Systems

The report underscores the importance of “information resources management best practices” as a first defense against similar attacks, including: “procurement and licensing of trusted hardware and software systems; knowing who and what is on your network through hardware and software asset management automation; on time patching of systems; and strategic technology refresh.”

Organizations should develop and exercise contingency plans that allow for the safe operation or shutdown of operational processes in the event that their ICS is breached, it says. These plans should include the assumption that the ICS is actively working counter to the safe operation of the process.

One application it recommends to detect and prevent attempted execution of malware uploaded by malicious actors is called Application Whitelisting (AWL). “The static nature of some systems, such as database servers and HMI computers, make these ideal candidates to run AWL. Operators are encouraged to work with their vendors to baseline and calibrate AWL deployments.”

It also recommends that organizations limit remote access functionality wherever possible, noting that “modems are especially insecure.” Users should implement “monitoring only” access that is enforced by data diodes, and do not rely on “read only” access enforced by software configurations or permissions, it says.

Otherwise, organizations “should isolate ICS networks from any untrusted networks, especially the Internet,” it urges. “All unused ports should be locked down and all unused services turned off. If a defined business requirement or control function exists, only allow real-time connectivity to external networks. If one-way communication can accomplish a task, use optical separation (‘data diode’). If bidirectional communication is necessary, then use a single open port over a restricted network path.”

Finally, the report warns that control system domains have many vulnerabilities that allow malicious actors with a “backdoor” to gain unauthorized access. Organizations should perform the best impact analysis and risk assessment before taking defensive measures, ICS-CERT said.

“Often, backdoors are simple shortcomings in the architecture perimeter, or embedded capabilities that are forgotten, unnoticed, or simply disregarded. Malicious actors often do not require physical access to a domain to gain access to it and will usually leverage any discovered access functionality. Modern networks, especially those in the control systems arena, often have inherent capabilities that are deployed without sufficient security analysis and can provide access to malicious actors once they are discovered. These backdoors can be accidentally created in various places on the network, but it is the network perimeter that is of greatest concern.”

Sonal Patel, associate editor (@POWERmagazine, @sonalcpatel)