Attacks redoubled on Ukrainian power - but who is to blame?

Ukraine-Map
Ukraine-Map

New cyber-attacks on Ukrainian power companies were announced yesterday by ESET, an IT security company. The Slovakian based company said its researchers had discovered a new wave of spear-phishing attacks with the aim of opening persistent backdoors into Ukrainian infrastructure.

This particular campaign was spotted when attackers sent spear-phishing emails to addresses within several of Ukraine's critical industries, mainly targeting electrical distribution companies, re-calling recent cyber-enabled power outages this month and the end of last year.

These emails weren't too original. Like most phishing emails, they came loaded with a malicious attachment. These particular emails contained a link to a .PNG file located on a remote server so the attackers would be notified when their trap was sprung and their malware delivered.

This particular malware, yet to be given a name, is based on an open-source backdoor, controlled by a Gmail account, making its network traffic hard to detect.

Similar, but by no means identical, attacks were carried out last year on Ukrainian media companies and the country's energy sector. Over the past several years, a piece of malware called BlackEnergy has been deployed against various critical sectors of Ukraine's infrastructure, last surfacing late in 2015.

BlackEnergy's source was easier to track, considering the fact that it was not only deployed against political targets but was traced back to a group, commonly referred to as Sandworm or Quedagh with links to the Russian state.

Over the past few years Ukraine has found itself in a tepid war with ethnic Russian separatists in the east of the country, widely believed to be supported by Russia. 

Nor has Russia been shy about exhibiting its cyber-offensive capability to the world or its effective dominion over its historically contested western border.

In 2007, Estonia suffered a series of massive cyber-attacks with a level of sophistication apparently not then seen in the world of cyber-security. Using a salad of high-level, expensive attacks, ranging from DDoS to Ping Floods to the use of large botnets, the attackers managed to successfully carry out a wholesale assault on the websites of Estonian government departments, the Estonian parliament, banks, newspapers and more.

To no-one's surprise Russia was immediately accused of being behind the campaign, roused to overreaction over a minor diplomatic dispute, namely the moving of a Soviet era statue in the Baltic state's capital, Tallinn. The Kremlin eventually pointed to individuals within the organisation who carried it out, not claiming direct responsibility but calmly assuring the international community that such an attack is well within its capability.

That said, ESET, which discovered the most recent attacks on the Ukrainian power grid, is hesitant to point fingers eastward. The announcement stated, “Great care should be taken before accusing a specific actor, especially a nation state. We currently have no evidence that would indicate who is behind these attacks and to attempt attribution by simple deduction based on the current political situation might bring us to the correct answer, or it might not. In any case, it is speculation at best.” It added that this may well be a false flag operation.

SCMagazineUK.com spoke to Robert Lipovsky, a senior malware researcher at ESET, who explained how ESET came to its conclusion: “For the simple reason that have seen no evidence to back that assumption.”

So who else might be behind such an attack? Lipovsky said, “Surely, it's the work of an organised cyber-criminal group. We just don't know under whose incentives or orders (in both senses of the word, actually – they could've been hired or instructed to carry out the attacks) they're working under.”

This kind of attack may be a sign of things to come. Lipovsky wrote in his announcement of the discovery: “[An] important aspect of this case is that the attack on the Ukrainian power sector may indicate how future complex attacks could look. Power is an Achilles heel for any organization. A serious blackout is every enemy's dream.”