In December, a major outage hit a region in Ukraine, more than 225,000 customers were affected by the interruption of the electricity. Security experts speculate the involvement of Russian nation-state actors that have used the BlackEnergy to infect SCADA systems of Ukrainian grid and critical infrastrcuture.
According to a Ukrainian media TSN, the power outage was caused by the destructive malware that disconnected electrical substations. The experts speculate that hackers run a spear phishing campaign across the Ukrainian power authorities to spread the BlackEnergy malware leveraging on Microsoft Office documents.
Now a new report published by the DHS Industrial Control Systems Cyber Emergency Response Team confirms that the outage was caused by a cyber attack.
The report is based on interviews with operations and IT staff at six Ukrainian organizations involved in the attacks. The thesis has been supported first by the SANS industrial control systems team, but it is still unclear the real impact of the BlackEnergy malware of the incident.
The SANS report reported that attackers flooded the call centers at the power authorities with phone calls, the intent of the attackers was to prevent customers from reporting the incident to the companies operating the critical infrastructure.
The DHS report highlights the possibility that the two strains of malware were used by the attackers after the outage in an attempt either to destroy evidence the intrusion or make recovery more difficult.
“Following these discussions and interviews, the team assesses that the outages experienced on December 23, 2015, were caused by external cyber-attackers. The team was not able to independently review technical evidence of the cyber-attack; however, a significant number of independent reports from the team’s interviews as well as documentary findings corroborate the events as outlined below.” states the report.
“Through interviews with impacted entities, the team learned that power outages were caused by remote cyber intrusions at three regional electric power distribution companies (Oblenergos) impacting approximately 225,000 customers.”
“The cyber-attack was reportedly synchronized and coordinated, probably following extensive reconnaissance of the victim networks. According to company personnel, the cyber-attacks at each company occurred within 30 minutes of each other and impacted multiple central and regional facilities. During the cyber-attacks, malicious remote operation of the breakers was conducted by multiple external humans using either existing remote administration tools at the operating system level or remote industrial control system (ICS) client software via virtual private network (VPN) connections. The companies believe that the actors acquired legitimate credentials prior to the cyber-attack to facilitate remote access.
All three companies indicated that the actors wiped some systems by executing the KillDisk malware at the conclusion of the cyber-attack. The KillDisk malware erases selected files on target systems and corrupts the master boot record, rendering systems inoperable. It was further reported that in at least one instance, Windows-based human-machine interfaces (HMIs) embedded in remote terminal units were also overwritten with KillDisk. The actors also rendered Serial-to-Ethernet devices at substations inoperable by corrupting their firmware. In addition, the actors reportedly scheduled disconnects for server Uninterruptable Power Supplies (UPS) via the UPS remote management interface. The team assesses that these actions were done in an attempt to interfere with expected restoration efforts.”
The report confirmed that every company victim of the attack was infected with the BlackEnergy malware, but avoided to provide further details on the role played by the malware.
“Each company also reported that they had been infected with BlackEnergy malware; however, we do not know whether the malware played a role in the cyber-attacks. The malware was reportedly delivered via spear phishing emails with malicious Microsoft Office attachments. It is suspected that BlackEnergy may have been used as an initial access vector to acquire legitimate credentials; however, this information is still being evaluated. It is important to underscore that any remote access Trojan could have been used and none of BlackEnergy’s specific capabilities were reportedly leveraged.”
(Security Affairs – SCADA , BlackEnergy malware)