On December 23, the entire Ivano-Frankivsk region in Ukraine suffered a major power outage, according to security experts and the Ukrainian Government the attackers used a destructive varian of the popular BlackEnergy malware.
Now investigations are revealing new interesting aspects on the attack, it looks like the threat attackers took advantage of the power of BlackEnergy, in an article published by SANS is explained that this allowed the attackers to get a foothold on power-company systems, where they were able to open circuit breakers, which cut the power. The still unknown attackers probably used a utility called KillDisk, a disk eraser and performed a denial-of-service to stop company personnel from trying to receiving customer reports of outages.
Unknown attackers used a wiper utility called KillDisk, and launched a denial-of-service on phone lines in order to stop company personnel from receiving customer reports of outages.
“The attackers demonstrated planning, coordination, and the ability to use malware and possible direct remote access to blind system dispatchers, cause undesirable state changes to the distribution electricity infrastructure, and attempt to delay the restoration by wiping SCADA servers after they caused the outage. This attack consisted of at least three components: the malware, a denial of service to the phone systems, and the missing piece of evidence of the final cause of the impact. Current evidence and analysis indicates that the missing component was direct interaction from the adversary and not the work of malware. Or in other words, the attack was enabled via malware but consisted of at least three distinct efforts.” wrote Michael J. Assante, SANS ICS Director.
Below the cyber attack milestones reported by the SANS:
It’s important to explain that there is no evidence that the KillDisk was the unique cause of the power outage affecting 80,000 customers.
“There have been two prominent theories in the community and speculation to the media that either the ‘KillDisk’ component was just inside the network and unrelated to the power outage (a reliability issue where malware just happened to be there) or that the ‘KillDisk’ component was directly responsible for the outage. It is our assessment that neither of these are correct. Malware likely enabled the attack, there was an intentional attack, but the ‘KillDisk’ component itself did not cause the outage.”…” The malware campaign reported, tied to BlackEnergy and the Sandworm team by others, has solid links to this incident but it cannot be assumed that files such as the excel spreadsheet and other malware samples recovered from other portions of that campaign were at all involved in this incident. It is possible but far too early in the technical analysis to state that. ”
The SANS report leaves almost no space left for doubts, BlackEnergy was indeed the key ingredient of this attack:
“We assess currently that the malware allowed the attackers to gain a foothold at the targeted utilities, open up command and control, and facilitate the planning of an attack by providing access to the network and necessary information,”…”The malware also appears to have been used to wipe files in an attempt to deny the use of the SCADA system for the purposes of restoration to amplify the effects of the attack and possibly to delay restoration.”
SCADA security is becoming even more important, experts believe that other similar attacks would happen in a short future.
About the Author Elsio Pinto
(Security Affairs – SCADA , BlackEnergy malware)