The US government has confirmed that December power outages in Ukraine were caused by a cyber-attack. The Department of Homeland Security announced the news yesterday, describing what is believed to be the first known case of hackers knocking a power grid offline.
Two days before Christmas last year, several Ukrainian power companies experienced outages. The outages affected 225,000 customers in the dead of winter, when temperatures can drop to -20C.
The investigation brought together the National Cyber-security and Communication Integration Center, U.S. CERT, Department of Energy, Federal Bureau of Investigation and the North American Electric Reliability Corporation to take a close look at the power outages.
The report compiles data from the Ukrainian government, six of the power companies that experienced outages and the investigation itself which includes interviews with individuals with first hand experiences of the power outages. However, the report states, the investigation team was not "able to independently review technical evidence of the cyber-attack".
The outages, according to the report "were caused by remote cyber intrusions at three regional electric power distribution companies." Power was restored, albeit at a constrained capacity which continues to this day.
In interviews with company personnel, the investigation team discovered that the attacks at each company were synchronised, occurring within half an hour of each other. The hackers remotely operated the power breakers by accessing existing administration tools at OS level or, through VPNs, using industrial control system client software.
The report adds that the companies interviewed thought the attackers used legitimate credentials to get in. After the damage was done, the attackers wiped information using KillDisk malware, rendering some systems useless.
While the BlackEnergy Malware was found in all the companies, the investigators have stated that they do not know if it played a role in the power outages, noting it "is important to underscore that any remote access Trojan could have been used and none of BlackEnergy's specific capabilities were reportedly leveraged."
As reported by SC earlier this year, the malware often gets into companies via spear phishing emails loaded with malicious Microsoft Office attachments.
BlackEnergy malware was found on the computer networks of not just these power companies, but a whole array of Ukrainian organisations including media outlets and mining facilities.
While some have been plain in calling the outages part of the Russian state's campaign of cyber-warfare against Ukraine, others have been hesitant to point the finger so squarely at the world power.
Tony Dyhouse, a cyber-security professional with a history in industrial control systems told SCMagazineUK.com that it's, “Important to realise that ‘Nation States' are not always in control of people undertaking actions claimed to be on their behalf. For example a team of nationalistic hackers could undertake an action against someone they think is against their nation, then claim they did it on behalf of the state.” Dyhouse added, “of course, it's also possible that a Nation State can actually create this situation so that the attack is achieved but they can deny it was instrumented by themselves but by an action group. This makes it very complex world.”
David Emm, Principal Security Researcher at Kaspersky Lab, also spoke to SC, saying, “With the majority of cyber-attacks, a hacker's motivation is driven by financial gain. But on other occasions, hackers aim to disrupt the lives of as many people as possible and successfully infiltrating a power supplier would be a perfect way to do this. One of the main problems is that organisations within an industrial and/or critical infrastructure setting generally place a much higher priority on continuity of processes than on data protection.”Emm added that “this not only makes them attractive targets for cyber-criminals, but increases their risk of becoming collateral victims of rogue malware. In fact, we estimate that up to 80% of control system security incidents are unintentional.”