Ukraine Blackout Redux: Hacking ConfirmedRussia Eyed as Likely Culprit Behind R&D for Critical Infrastructure Hacking
Two researchers have confirmed that a December 2016 blackout in Ukraine was the result of a hacking campaign that began with spear-phishing attacks carrying malware (see Ukrainian Power Grid Blackout Alert: Potential Hack Attack). Their findings increase concerns that many industrial control and supervisory control and data acquisition systems remain dangerously vulnerable to hack attacks.
Speaking at this week's S4x17 conference in Miami, security researchers Marina Krotofil and Oleksii Yasynskyi detailed their investigation into the latest hack-attack campaign targeting Ukraine, which reportedly occurred last month - from Dec. 6 to Dec. 20 - and employed both malware as well as distributed denial-of-service attacks, multiple news outlets have reported. The researchers reportedly also confirmed that a related hack attack led to the two-hour blackout affecting the country's national power company, Ukrenergo, on Dec. 17, 2016.
The attack marks the second time that Ukraine power generation facilities have been disrupted. The first, in December 2015, was the first known instance in which a power outage had been directly tied to a hack and resulted in temporary blackouts affecting 225,000 households in the country's capital of Kyiv (see Ukrainian Power Grid: Hacked).
Ukraine President Petro Poroshenko has blamed the attacks on Russia.
Wave of Attacks Against Ukraine
In the latest attack campaign, multiple government agencies were compromised via spear-phishing attacks launched in July 2016, leading to malware infections that remained undetected for six months, Atlanta-based Marina Krotofil, lead security researcher for Honeywell Industrial Cyber Security Lab, reportedly told the S4x17 conference (see More Phishing Attacks Target Ukraine Energy Sector).
Krotofil and fellow researcher Oleksii Yasynskyi, head of research for Ukraine-based Information Systems Security Partners offered insights gleaned from their investigation into the attacks against Ukrenergo, as well as against the country's Ministry of Finance, Ukrainian Railways, PFTS Stock Exchange and other organizations.
The researchers declined to share full details relating to the power hack, reports Chris Sistrunk, a senior consultant at FireEye's Mandiant who focuses on cybersecurity for industrial control systems, and who also presented at the conference. But ISSP's Oleksiy, who addressed the conference Jan. 10 via a prerecorded video, said that the 2016 attacks were similar to the 2015 attacks, except that they appeared to be much better organized, more sophisticated and being run by multiple groups working closely together, Sistrunk reported.
The two attacks also differed in that the 2015 disruption affected a distribution facility - used for distributing electricity over short distances - whereas the 2016 disruption involved a transmission facility, which is used for moving electricity over long distances, Motherboard reported.
Sophisticated Critical Infrastructure Disruption
As evidence of the increased sophistication of the 2016 attack campaign, Krotofil told DarkReading that attackers employed a custom-built tool dropper called Hancitor to install additional attack code on infected systems and that it had undergone 500 software builds during the two weeks before it was deployed.
Attackers also used many tools that have been seen in previous campaigns, including BlackEnergy malware as well as KillDisk disk-wiping malware, Krotofil told DarkReading, adding that some malware was customized to infect specific workstations and servers. Overall, she said, the attacks appeared in part to be used "as a training ground for R&D" for future attacks.
But David Emm, a principal security Researcher at Kaspersky Lab, tells the BBC that what works against Ukraine targets might not be easy to repurpose for targets in other countries.
"It's possible, but given that critical infrastructure facilities vary so widely - and therefore require different approaches to compromise the systems - the re-use of malware across systems is likely to be limited," he told the BBC. "On the other hand, if a system has proved to be porous in the past, it is likely to encourage further attempts."
Ukraine Blames Russia
On Dec. 29, Ukrainian President Petro Poroshenko told a meeting of his country's National Security and Defense Council that "over the past two months, about 6,500 planned cyber attacks have been detected" targeting five Ukrainian government institutions as well as 31 government websites, according to a statement released by Poroshenko's office.
"The investigation of a number of incidents indicated the complicity directly or indirectly of Russian security services waging a cyberwar against our country," Poroshenko told the NSDC, according to a statement released by his office, Reuters reported.
Poroshenko said the attacks included not just Ukraine's finance and defense ministries, but also a disruption of the treasury, which led to delays in state workers and pensioners receiving payments. "Acts of terrorism and sabotage on critical infrastructure facilities remain possible today," he reportedly added.
Grizzly Steppe Alert
Such concerns are not limited to Ukraine. On Dec. 29, the U.S. Department of Homeland Security issued an alert warning of "Russian malicious cyber activity" via an attack campaign DHS dubbed Grizzly Steppe that employs BlackEnergy and other malware (see U.S. Power Grid: The Russians are Hacking! (Or Not)).
"The report provides a detailed list of cybersecurity best practices intended primarily for IT networks - but equally applicable to OT [operational technology] networks and ICS/SCADA security," Phil Neray, vice president of cybersecurity at Boston-based ICS security firm CyberX, which has been tracking related malware and attack campaigns, says in a blog post. "These include performing ongoing vulnerability assessments, monitoring all transactions for suspicious activity, auditing firewall rules, and patching known vulnerabilities, among others."
Such advice is far from new. But as the December 2016 attack campaign against Ukraine - and reported six-month lag between infection and detection - highlights, however, not all ICS/SCADA practitioners globally appear to be following those recommendations.