Ukrainian Power Grid Blackout Alert: Potential Hack AttackTakeaways from 2015 Hacks, as Potential New Attack Comes to Light
Reports emerging this week in Ukraine suggest that a blackout affecting the country's national power company, Ukrenergo, may have been the result of a hack attack.
See Also: Beware the Other Virus
Ukrenergo says blackouts occurred on Dec. 17 and affected some areas of the country's capital, Kiev.
"Hacker's attack and equipment failure are among the possible causes for the power failures," the company said in a press statement, news service UAWire reports. "Law enforcement agencies responded immediately and a thorough investigation of the causes of the accident is being carried out. The public will be informed of any progress in a timely manner."
The power provider adds that "until the end of the official investigation of the accident, management of all Ukrenergo facilities with automatic control systems has been transferred to a local level."
The news comes one year after at least three different Ukrainian energy providers lost power for up to six hours on Dec. 23, 2015, as a result of an apparent hack attack (see Ukrainian Power Grid: Hacked).
In that outage, investigators reported that both the BlackEnergy 3 cyber espionage Trojan and KillDisk disk-wiping malware were recovered from at least one of the affected power provider's systems. Experts say that a malicious, macro-enabled Excel spreadsheet, distributed via spear-phishing attacks, appears to have been used to infect targeted systems (see How to Block Ukraine-Style Hacker Attacks).
The Ukrainian security service, SBU, said that concurrent with the hack attack, "technical support numbers associated with the power authorities were allegedly flooded with calls, which may have been an effort to further overwhelm responders."
SCADA Expert: Don't Jump to Conclusions
Industrial control system expert Robert M. Lee, CEO of the critical infrastructure cybersecurity firm Dragos, says it's important to not jump to conclusions over unauthorized remote access and hacking potentially being involved in this power outage.
"No one with direct knowledge of the attack has confirmed that it is a cyber attack; only that it is the leading theory and the disconnect was unintentional," Lee says in a blog post. "If this attack turns out to be true it is unlikely it will be anything that is novel that couldn't have been detected. It's important to remember that defense is doable - now go do it."
I find it personally troubling that we will have to cite 2015 or 2016 to clarify which attack we are talking about to the Ukraine power grid— Robert M. Lee (@RobertMLee) December 21, 2016
For starters, "look in logs for abnormal VPN session length, increased frequency of use, and unusual connection requests times," Lee says.
Tim Conway, the SANS Institute technical director for ICS and SCADA programs, this week also published best practices for "investigating unexplained field operations [if] you have reason to believe it was possibly caused by a targeted cyber-attack."
2015 Ukraine Grid Attack: Lessons Learned
Slovakia-based security firm ESET was one of the organizations that investigated the 2015 Ukraine power provider attacks and shared information with the Ukrainian government. Subsequently, the company says it was approached by a large U.S. power plant operator and various computer emergency response teams, seeking mitigation steps for related attacks, including defenses against BlackEnergy and KillDisk malware.
"But the mitigation steps are already out there," ESET senior malware researcher Robert Lipovsky tells Information Security Media Group. "It's all the common cybersecurity advice: keep your software up to date, patched, train your employees, raise awareness to be able to withstand social engineering, and many - or some - companies are doing that, but they're usually doing that once, when an employee joins, but they're not continuing it."
In the case of the 2015 Ukraine power-provider hacks, attackers had been preparing for months, harvesting power plant operators' credentials, before they launched a "very well-coordinated attack" that infected targeted systems with malware, including a backdoored SSH server that gave them persistent access to infected servers, he says.
"It was the combination of a determined attacker - the very definition of the 'P' in APT, these guys were very persistent - and vulnerable employees," he says. "And from a technical perspective, that was very vulnerable as well." He says systems running Windows XP were widespread, not all workstations were running anti-virus software, lots of systems and software hadn't been patched and critical systems were also remotely accessible, poorly defended and ran on networks that weren't segmented.
Thankfully, however, the Ukrainian power providers had the ability to manually override affected equipment, which allowed them to restore power. That was despite the attackers' apparent use of KillDisk malware, which can "delete Windows logs, destroy files, make the system unbootable by deleting system files, but also kill SCADA [supervisory control and data acquisition] components and then destroy them," Lipinsky says. "The effect of this was that it was much more difficult for the operators to turn the power back on to basically recover from these attacks."
On the Trail of Sandworm, BlackEnergy
Numerous security firms report that BlackEnergy has often been used by an advanced persistent threat group variously known as APT28, Fancy Bear, Pawn Storm, Sandworm, Sednit and Sofacy, which is allegedly linked with Russia's military intelligence group, the GRU. The APT group has been tied to numerous online attack campaigns since 2004, which have included targeting Eastern European politicians - including Ukrainian leaders - as well as NATO officials, Western government agencies and critical infrastructure providers as well as Russian political dissidents, according to ESET.
More recently, the group has been tied to attacks against the U.S. Democratic National Committee - and potentially also the Republican National Committee - as well as against the German Parliament, French TV network TV5Monde, the World Anti-Doping Agency and Ukrainian artillery forces.
Alexis Dorais-Joncas, security intelligence team lead for ESET, tells ISMG that the group has employed tens of thousands of custom-built malware modules since 2006 and exploited at least three zero-day vulnerabilities, including ones leaked following the hack of surveillance software vendor Hacking Team.
The group's flagship malware includes two advanced and modular backdoors, X-Agent and Sedreco. The former has been seen in the wild in Windows, Mac OS X, Apple iOS and Android versions. KillDisk, meanwhile, is still being used in the wild by a group that ESET dubs TeleBots, so named for a backdoor that appeared in the second half of this year. The security firm says it believes the BlackEnergy group has evolved into TeleBots.
Dorais-Joncas says that various mistakes made by attackers associated with BlackEnergy have enabled them to study many of the group's attack tools and techniques. For example, researchers have recovered the full source code of various pieces of attack code, including malware and command-and-control infrastructure code. In another case, the group accidentally set one of its Bitly accounts to be public, allowing researchers to study how the group was using the service to shorten links in emails that it sent to spear-phishing targets. ESET says the links "contained the email address and the name of the target," which was used in the email to populate a fake Gmail login screen that led to Sednit attack infrastructure.
Fancy Bear Attribution: Difficult
But Dorais-Joncas says it's not clear who all may be using the malware or attack infrastructure, and whether they might be a government-run team, independent operators - who perform attacks to order for a variety of clients - or something else.
In short, just because related malware gets used doesn't mean that Fancy Bear is behind the attacks against Ukrainian power providers, or anyone else. "I'm always a little skeptical when such blunt attribution is made without hard evidence," he says.