Malware 'clearly' behind Ukraine power outage, SANS utility expert says

Mounting evidence attacks are handiwork of elite Russian hacker team.


It is 'clear' the power outages experienced in the Ukraine last December were caused by a series of network-centric attacks against multiple utilities, says SANS industrial control system expert Michael J. Assante.

The former chief security officer of the North American Electric Reliability Corporation, who previously oversaw the rollout of US power utility security standards, says SANS has "high confidence" that the mass power outages in the Ukraine were thanks to malware and disrupted SCADA and phone systems.

The 23 December outage at Ukraine's Prykarpattya Oblenergo and Kyivoblenergo utilities cut power to 80,000 customers for six hours and has been blamed on Moscow by the nation's security service.

The attacks cut at least seven 110 kV and 23 35 kV substations.

It has been attributed in some circles to the BlackEnergy malware which was found attacking utilities and media organisations with the hard-drive nuking killdisk componentry.

BlackEnergy is the handiwork of the Russian-based Sandworm Team which in October 2014 was reported to have compromised industrial control systems in the US for up to three years.

There is no firm evidence the group has ties to Moscow.

"After analysing the information that has been made available by affected power companies, researchers, and the media it is clear that cyber attacks were directly responsible for power outages in Ukraine," Assante says.

"We assess with high confidence based on company statements, media reports, and first-hand analysis that the incident was due to a coordinated intentional attack.

"The attackers demonstrated planning, coordination, and the ability to use malware and possible direct remote access to blind system dispatchers, cause undesirable state changes to the distribution electricity infrastructure, and attempt to delay the restoration by wiping SCADA servers after they caused the outage."

Assante and other SANS industrial control system experts are coordinating with unspecified individuals and groups across international communities.

Security bods at US-based iSight Partners argue with further confidence that the BlackEnergy malware was used in the attack.

"... we have linked Sandworm Team to the incident principally based on BlackEnergy 3, the malware that has become their calling card," cyber espionage analyst John Hultquist says.

Symantec security engineers support the assertion, noting that BlackEnergy is purposefully designed to delete sec_service, a component of the Eltima serial to ethernet connector software useful for legacy SCADA system communications.

[Those communications can] include discrete alarms to monitor device failure, redundant backup communication for monitoring during a LAN failure and analog alarm inputs which monitor voltage, temperature, humidity and pressure," the experts write.

"Hypothetically, if an attacker knew that their target was using this software for communicating with their legacy SCADA devices, stopping the service and any communications would increase the potential for damage within their environment."

The coordinated attacks are sophisticated having not only caused the initial power outage but also worked to prevent service restoration.

It is thought to have consisted of malware, a denial of service attack against the utility's phone systems, and a missing piece of evidence thought to be direct interaction by the hackers.

Attackers are suspected of compromising the SCADA production systems, infecting workstations and servers, and attempting to hamper forensics investigations using the KillDisk wiping component.

SANS' Assante says BlackEnergy, or whichever malware may have been used in the attack, was likely a beachhead on the utility's networks through which attackers could manually disrupt power supply.

This meant system dispatchers lost visibility of the outage and customers could not call in to request information.

Assante says the utilities worked quickly to switch their services to manual mode, reclosing breakers and restoring power without automated dispatch within three to six hours. ®

Broader topics


Other stories you might like

  • CISA and friends raise alarm on critical flaws in industrial equipment, infrastructure
    Nearly 60 holes found affecting 'more than 30,000' machines worldwide

    Updated Fifty-six vulnerabilities – some deemed critical – have been found in industrial operational technology (OT) systems from ten global manufacturers including Honeywell, Ericsson, Motorola, and Siemens, putting more than 30,000 devices worldwide at risk, according to private security researchers. 

    Some of these vulnerabilities received CVSS severity scores as high as 9.8 out of 10. That is particularly bad, considering these devices are used in critical infrastructure across the oil and gas, chemical, nuclear, power generation and distribution, manufacturing, water treatment and distribution, mining and building and automation industries. 

    The most serious security flaws include remote code execution (RCE) and firmware vulnerabilities. If exploited, these holes could potentially allow miscreants to shut down electrical and water systems, disrupt the food supply, change the ratio of ingredients to result in toxic mixtures, and … OK, you get the idea.

    Continue reading
  • Azure issues not adequately fixed for months, complain bug hunters
    Redmond kicks off Patch Tuesday with a months-old flaw fix

    Updated Two security vendors – Orca Security and Tenable – have accused Microsoft of unnecessarily putting customers' data and cloud environments at risk by taking far too long to fix critical vulnerabilities in Azure.

    In a blog published today, Orca Security researcher Tzah Pahima claimed it took Microsoft several months to fully resolve a security flaw in Azure's Synapse Analytics that he discovered in January. 

    And in a separate blog published on Monday, Tenable CEO Amit Yoran called out Redmond for its lack of response to – and transparency around – two other vulnerabilities that could be exploited by anyone using Azure Synapse. 

    Continue reading
  • Inside the RSAC expo: Buzzword bingo and the bear in the room
    We mingle with the vendors so you don't have to

    RSA Conference Your humble vulture never liked conference expos – even before finding myself on the show floor during a global pandemic. Expo halls are a necessary evil that are predominatly visited to find gifts to bring home to the kids. 

    Do organizations really choose security vendors based on a booth? The whole expo hall idea seems like an outdated business model – for the vendors, anyway. Although the same argument could be made for conferences in general.

    For the most part, all of the executives and security researchers set up shop offsite – either in swanky hotels and shared office space (for the big-wigs) or at charming outdoor chess tables in Yerba Buena Gardens. Many of them said they avoided the expo altogether.

    Continue reading

Biting the hand that feeds IT © 1998–2022