Checkmate in 11 Moves: Cyber-Attack Against Ukrainian Power Utilities
Nation-E CTO, Guy Barnhart-Magen revisits the cyber-attack on Ukrainian power utilities from December 23, 2015 and explains how it could have been thwarted.
Some seven months ago (December 23 2015), three Ukrainian power distribution companies (Oblenergos) were attacked by a coordinated cyber onslaught against their installations. The attack resulted in lengthy power blackouts that lasted between 6 to 72 hours and adversely affected 225,000 civilians in the Ivano-Frankivisk region. After several official and private investigations, it appears that the attack was planned months in advance with the malicious intent of inflicting large-scale and costly damage to the utilities.
The distribution companies were able to restore only partial electrical service in the region after dispatching field technicians to manually replace approximately 50,000 remote control endpoint devices (mostly Serial-to-Ethernet devices). Reports indicate that remote control of the distribution systems are still operating in a very limited capacity. Shortly after the incident, the Ukrainian authorities claimed that the power outage was caused by a massive cyber-attack.
- An analysis of the three impacted entities indicates that the attackers gathered information on their targets during a preliminary reconnaissance stage, that may have lasted several weeks or even months.
- The attackers weaponized Microsoft Word and Excel documents by inserting BlackEnergy malware in them.
- The attackers placed the Uninterruptable Power Supplies (UPS) in a scheduled maintenance mode to prevent emergency power distribution after the attack commenced.
- The weaponized files were delivered through a spear-phishing campaign to IT and administrative personnel in the companies. Once the infected files were opened, a pop-up message was displayed, asking for permission to proceed. Following approval, the malware exploited a Windows vulnerability to self-install.
- Once the attackers got a foothold in the system, they began collecting information on the network and examined the command and control systems. Investigators opined that the attackers gained access to the main system 3 to 6 months before the actual attack was launched.
- Simultaneously, the attackers launched a secondary attack on the company call center using a Telephonic Denial of Service (TDoS) method. The purpose of this secondary attack was twofold. First, it broke the reporting chain between the field technicians and operations personnel. Secondly, it created a disconnect between the companies and the customers in order to exacerbate the confusion and uncertainty following the primary attack.
- With access to the system, the attackers managed to steal access credentials and explore the entire IT/OT environment.
- At the very end of the preparation phase, the attackers installed malware identified as KillDisk in the internal network. However, the malicious components remained dormant.
- Once the attack was launched at 15:35 on December 23 2015, the attackers took control of operator workstations, and locked them out of the system. The operators saw the attackers execute (authorized) malicious activities in real-time on control screens and were incapable of neutralizing the threat.
- The attackers hijacked the SCADA to open the circuit breakers. Immediately, more than 27 substations were disabled. Concurrently, the attackers sent a malicious firmware update to the remote control devices (Serial-to-Ethernet) to complete the communication cut-off between the substations and command center. The malicious firmware update was a crucial step in the cyber kill chain, as it guaranteed that even if workstation operability was restored, remote commands could not be delivered to the substations. This “scorched earth” strategy proves that the attack was coordinated, well-planned and devised in advance to cause wide-spread damage.
- The attackers activated the dormant KillDisk malware to wipe out control computers and amplify damage.
Hypothetical Scenario: What would have happened if Nation-E’s solution was installed in these utilities?
An examination of this case study highlights that the Ukrainian power companies did not have adequate cyber protection for their critical infrastructure. Ostensibly, if Nation-E’s solution was deployed in these installations, there would be a high probability of thwarting crucial steps in the cyber kill chain:
- With Nation-E’s solution, the attackers would have been discovered very early in the reconnaissance stage, it would have detected abnormal activity while they investigated the environment and increased their foothold in the OT network.
- The attackers would not have been able to launch the firmware attacks against serially connected devices at substations. The solution would have fully isolated the assets and broken the cyber kill chain.
- The attackers would not have been able to hijack the SCADA and open the circuit breakers. The system would have activated a two-factor authentication process to thwart the attackers.
Cyberattacks are a very serious and very real threat to our security, economy and way of life. Nation-E provides solutions that protect its clients from these attacks, ensuring the highest level of security.