Ukrainian Power Grid: HackedBlackouts Tied to Malware Attack Against Power Provider
A power blackout that recently affected about 1.4 million Ukrainians has been tied to the espionage Trojan known as BlackEnergy. The attack appears to be the first time that malware has been used to facilitate a large-scale power disruption.
See Also: Threat Intelligence - Hype or Hope?
Ukrainian news outlet TSN first reported on the Dec. 23, 2015, power outage, which it said left about half of all homes in the country's western Ivano-Frankivsk region without power for a few hours. It said that government investigators believed that the outage was tied to a "virus" that had been employed as part of a "hacker attack" that involved remote access to industrial control systems at a local energy supplier called Prykarpattyaoblenergo.
But Slovakian information security firm ESET now reports that the attacks - and potential outages - were much more widespread than originally believed. "We have discovered that the reported case was not an isolated incident and that [several] other energy companies in Ukraine were targeted by cybercriminals at the same time," ESET researchers tell Information Security Media Group, although it's not clear if energy generation at those firms was likewise disrupted.
ESET says the malware used in the attacks was the BlackEnergy Trojan, which has previously been tied to Russian attackers, and which is often used to install additional attack modules on victims' systems. After infecting these ICS systems, for example, this particular BlackEnergy variant was then designed to install wiper malware called KillDisk, which overwrites or deletes data on hard drives and can also render them unbootable. ESET has released indicators of compromise tied to the attacks, which other organizations can use to help detect and block related - or copycat - exploits.
"This is the first time we have proof and can tie malware to a particular outage," Kyle Wilhoit, a senior researcher at security firm Trend Micro, tells Reuters. "It is pretty scary."
Ukraine's state security service - SBU - has blamed Russia for the attacks, and the country's energy ministry, based in Kyiv, has set up a special commission to investigate, Reuters reports.
The BlackEnergy Trojan first appeared in 2007. While it has never been directly tied to the Russian government, security experts say that past operators appear to have been Russians, and that related botnets have been deployed "in a manner consistent with Russian doctrine" (see Russians Suspected in Ukraine Hack). U.S. officials have previously pointed to the Russian government tapping "patriotic hackers" as cyber-ancillaries for their intelligence and military operations.
Ties to Sandworm?
In 2009, meanwhile, a group of attackers dubbed the Sandworm team - because of encoded references in the malware to the fictitious desert-dwelling creature from the science fiction classic Dune - were tied to attacks that used the BlackEnergy Trojan. But it's not clear if the recent BlackEnergy attacks against Ukraine targets is the work of the same advanced persistent threat group.
"Please be aware that there is a large lack of data right now with the Ukrainian cyber attack," says security expert Robert Lee, CEO of consultancy Dragos Security and a former cyberwarfare operations officer for the U.S. Air Force, in a Jan. 5 blog post. "Links to BlackEnergy (the malware) from the identified sample on the network are fine - but need time to be analyzed. The further linking of BlackEnergy (the malware not the campaign) to the Sandworm team (the people) that used BlackEnergy is a big analytical leap. It is likely a good one - it will likely be found to be true - but it is not definitive right now."
In other words, just because an adversary is using BlackEnergy malware does not mean they are the same actors from the Sandworm campaignï¿½ Robert M. Lee (@RobertMLee) January 4, 2016
BlackEnergy has previously been tied to attacks not only against Ukraine, but also against multiple European governments including Poland, NATO, a French telecommunications provider, a Polish energy company and an American university, among many others.
The Ukrainian Computer Emergency Response Team, CERT-UA, warned in November that it had discovered KillDisk - which had never been seen before - being used in attacks, and being installed by the BlackEnergy malware. "In that instance, a number of news media companies were attacked at the time of the 2015 Ukrainian local elections," ESET malware researcher Anton Cherepanov says in a blog post. "The report claims that a large number of video materials and various documents were destroyed as a result of the attack."
The KillDesk variant deployed against media organizations appeared to be designed for mass data deletion - it was programmed to delete 4,000 different file types, ESET says. But the version deployed against energy firms was different, in part because it only targeted 35 different types of file extensions. "As well as being able to delete system files to make the system unbootable - functionality typical for such destructive Trojans - the KillDisk variant detected in the electricity distribution companies also appears to contain some additional functionality specifically intended to sabotage industrial systems," Cherepanov says.
Attackers Target ICS
But the big change was the addition of code designed to disrupt industrial control systems, by terminating two apparently ICS-related processes and then overwriting them with random data. One of those processes is named "sec_service.exe," which appears to relate to either a piece of software called ASEM Ubiquity - used in ICS environments - or to the ELTIMA Serial to Ethernet Connector, Cherepanov says.
The attacks against the power companies likely began with spear-phishing emails, ESET says. In early December, for example, Ukrainian security firm CyS Centrum published screenshots of e-mails used in BlackEnergy campaigns, which had email addresses spoofed so that they appeared to have originated from the Ukrainian parliament, called Rada, and which were designed to trick recipients into allowing a PowerPoint macro to execute. If the user allowed the macro to proceed, then their system could become infected with BlackEnergy.
To date, however, it's not clear if the KillDisk infection led to the power outages - and whether these types of attacks and infections rate as high-level critical infrastructure threats, or more of a nuisance. "The piece of malware uncovered (the KillDisk component) had the functionality to delete files," Lee says. "It has been stated that this likely caused the power outage - this is most likely very inaccurate. Deleting files, processes, or killing Windows systems will not cause a power outage in a regional control center. Kill the Windows computers and the power keeps going."
Indeed, TSN reported in the wake of the malware attack and power outage that energy provider Prykarpattyaoblenergo had begun running its energy-generation infrastructure in "manual mode" while it cleaned infected Windows systems.
A CERT-UA team member tells Information Security Media Group that the organization is continuing to investigate the hack attacks, but that information relayed from reports such ESET's is accurate.
Neither Prykarpattyaoblenergo nor the SBU could be immediately reached for comment.