Cyber attacks were responsible for plunging around half the homes in Ukraine’s Ivano-Frankivsk region into darkness for several hours on 23 December 2015, a report has confirmed.
The attacks are considered to be the first known examples of cyber attacks being directly responsible for power outages, according to the report by the industrial control systems (ICS) team of the Sans Institute.
“We assess with high confidence based on company statements, media reports, and first-hand analysis that the incident was due to a co-ordinated intentional attack,” wrote Michael Assante, Sans ICS director.
Analysis by the ICS team reveals that the attackers demonstrated planning, co-ordination and the ability to use malware and possible direct remote access to disrupt the electricity infrastructure.
There is also evidence that the attackers were able to delay the restoration of power services by wiping the computer systems used to gather data and control power distribution.
Initial reports said the attackers were believed to have used BlackEnergy Trojan to deploy a destructive component dubbed a “KillDisk” by researchers.
This KillDisk component, researchers said, was designed to wipe specific file types and sabotage industrial control systems by overwriting executable files with random data.
Analysts now believe that the malware was just one of several components of the attack, and that the KillDisk component itself did not cause the outage.
The report said there is evidence that there was direct interaction from the attackers and that the attack included denial of view to system controllers and attempts to deny customer calls that would have reported the power out.
At least one of the affected power companies is known to have experienced technical failures with their phone lines, interfering with receiving customer’s calls.
The report confirms that there were co-ordinated attacks against multiple regional distribution power companies, including Prykarpattyaoblenergo and Kyivoblenergo.
The attack on Kyivoblenergo alone is believed to have cut power to 80,000 homes for three to six hours as power companies switched to manual operation to restore services.
Although the timeline is still not clear, the report confirmed that attackers were able to access production control systems, infect workstations and servers with malware, damage control system hosts on work stations and servers, and block calls to customer call centres.
BlackEnergy a key ingredient
According to the report, although a malware campaign tied to BlackEnergy and the Sandworm team has solid links to this incident, it cannot be assumed that files recovered from other portions of that campaign were at all involved in this incident.
“Analysts should be careful not to overstate current analysis of malware samples due to their link to the larger campaign as being specific to this incident. Simply put, there is still evidence that has yet to be uncovered that may refute the minutia of the specific components of the malware portion of the attack,” the Sans ICS report said.
However, despite saying there is no evidence BlackEnergy or its KillDisk component was the direct cause of the outage, and there is no indication that BlackEnergy infections relied on booby-trapped Microsoft Office documents to spread this attack, the report indicates that BlackEnergy was nevertheless a key ingredient.
“We assess currently that the malware allowed the attackers to gain a foothold at the targeted utilities, open up command and control, and facilitate the planning of an attack by providing access to the network and necessary information. The malware also appears to have been used to wipe files in an attempt to deny the use of the Scada [control] system for the purposes of restoration to amplify the effects of the attack and possibly to delay restoration,” the report said.
More industries could suffer cyber attacks
The report notes the “competent action” by Ukrainian utility personnel in responding to the attack and restoring their power system, but concludes that the power outages in Ukraine demonstrate it is a reality that a co-ordinated cyber attack consisting of multiple elements is one of the expected hazards the power industry now faces.
“We need to learn and prepare ourselves to detect, respond and restore from such events in the future,” the report said.
Tim Erlin, director of security at Tripwire, said industry experts have been talking about how cyber attacks could directly affect the power grid for a long time, so it should not be a surprise that it has now occurred.
“Discussing a threat doesn’t count as mitigation. Energy companies need to invest in securing their infrastructure, from control systems to corporate IT. Investment isn’t just about buying products. It’s about people, skills and process. Purchasing the latest security device is easy compared with training security staff effectively,” he said.
Erlin notes that all malware, including BlackEnergy, requires an infection vector to get to its target.
“Attackers will almost always take the path of least resistance. Today, that means published vulnerabilities, misconfigurations and phishing scams. These are all security issues that we can address, with sufficient resources,” he said.
Erlin said it is short-sighted to think of this threat as an energy sector problem. “Any industry that relies on industrial control systems is at risk. Any industry where networked devices cause physical change in the world is a target for these kinetic cyber attacks,” he said.