Ukrainian power looks all the more vulnerable as confirmations come in that a blackout last month was caused by a cyber-attack.
The blackout cut off power to parts of Kiev just before midnight on 17 December 2016 and lasted for a little more than an hour. At the time UkrEnergo, Ukraine's national power company, told customers it was unsure if this was a cyber-attack or merely equipment failure.
The government investigation is apparently not yet complete but an investigation by Information Systems Security Partners (ISSP) concluded that the blackout was the result of sabotage.
ISSP said that hackers shut down the devices which allowed the central operators to speak to substations. Once the hack was pulled off, engineers could no longer speak to the substation remotely but had to physically go to Pivnichna substation to reset it. The researchers believe that this was an experiment rather than a full-scale malicious attack.
Jonathan Sander, VP of product strategy at Lieberman Software, told SC Media UK, “the Ukrainian Power Grid has been struck again by cyber bad guys in part because it seems they are using it as a test for bigger things later and in part because the attack was so subtle that nothing could likely have stopped it. The only time the attack maybe could have been thwarted was at the very start when they stole administrative credentials.”
Attackers apparently used highly sophisticated spear-phishing emails to infiltrate not only the power grid but a variety of other targets earlier in the year.
Marina Krotofil, a Ukrainian researcher who worked on the investigation, told Motherboard that attackers, one they had gained entry, lay in wait on their target's network for long periods of time to gain legitimate credentials.
That kind of sophistication, added Sander, shows the attackers must have already gained entry: “That type of spear phishing only works when you have the intelligence from the inside to craft it just right. With the perch of a high power user, they were able to be a spy implanted at a place where everything was open to see and therefore make an attack that works too well to be stopped.”
Earlier in the month, attacks were launched on the Ukrainian Finance Ministry,Treasury, railway administration and a pension fund, causing serious damage and all following similar methods of waiting to gain legitimate credentials before springing the attack.
This particular example is a small reproduction of the BlackEnergy attacks of 2015, which occurred nearly a year ago. Whether or not these attacks originate from the same group, as Ukrainian researchers claim, is not known.
In the 2015 attack, a group now known as Sandworm, or the BlackEnergy APT, cut off power to hundreds of thousands of Ukrainians in the middle of winter. The APT group, believed to be backed by the Russian state, also went after a variety of Ukrainian organisations including banks and media organisations.
In 2015, attackers also wrote new, malicious firmware which replaced the legitimate firmware on grid's serial-to-ethernet converters in over a dozen substations. It was these converters that allowed commands to be sent from the central SCADA network to substations. When a blackout occurred, that process was disrupted and prevented legitimate operators from reopening the breakers.This may be merely symptomatic of a problem within SCADA and IoT that IT security professionals have recognised for a while. Cesare Garlati, chief security strategist at the prpl Foundation, told SC, “This re-flashing of the firmware should not be allowed to happen and hence why security, built in at the hardware level that establishes a root of trust which would not allow hackers to perform these sorts of attacks, is so important in IoT.”