Cyber Pulls the Plug
Print Issue: May 2016
Two days before Christmas in 2015, hackers took control of Ukraine’s power control system and remotely shut down part of its power grid. Approximately 250,000 people in the Ivano-Frankivsk region were left without power for several hours as the once-theoretical threat that a cyberattack could take down the electric system became a harsh—and bone-chilling—reality.
Power grid operators were able to get the grid up and running, but the hackers struck again four days later, using destructive malware to infect the electric infrastructure in at least three regions of Ukraine and once again create a power outage.
Details on the attack were initially murky, but one thing was clear: the attack used malware to create a backdoor and plant a KillDisk component on targeted computers that made them unbootable and destroyed files.
No one has yet taken responsibility for the attacks. But many are hoping that the incident serves as a wake-up call for security professionals and critical infrastructure operators across the globe.
“It’s no longer a theoretical exercise or a bunch of guys sitting around a whiteboard trying to figure out how to take out an industrial control system,” says Tim McCreight, CPP, director of advisory services for Above Security, a Hitachi Group Company. “We know it can happen.”
Researchers are still unsure of the timeline of the first attack on Ukraine’s power system, but by analyzing samples of the malware and looking at the Ukraine power grid’s network, they have been able to determine how the malware moved through the network.
The attack was aimed at Ukraine’s electrical departments, and the attackers executed it by sending phishing e-mails to employees with an Excel spreadsheet that was embedded with BlackEnergy malware. Despite a warning, employees were tricked into opening the attachment, which installed Secure Socket Shell backdoors on the electrical departments’ networks.
“In this way, attackers could send industrial control commands to the target and execute KillDisk to compromise the system and prolong the system recover time,” according to network security firm NSFOCUS’s report on the incident.
“Because our analysis is based on the sample only, we have no idea whether or not [the departments] were running anti-virus or if the Trojan evaded it successfully,” says Li Donghong, research manager of the NSRI team at NSFOCUS. Because the phish is meant to attract people to click the attachment by ignoring the risk warning, patches would not prevent the attack from happening once the attachment was opened.
What made the attack truly possible, however, was that many of Ukraine’s electric power facilities are connected to the Internet.
“Internet connectivity allows attackers to hack into the systems and launch attacks by tricking workers into opening a specially crafted e-mail,” the report explained. “After BlackEnergy infects a business system and devices in this way, it is quite possible for an attacker to launch attacks against the industrial control system by using an implant, such as KillDisk, to compromise hosts. If the industrial control system fails to read the configurations during the restart, the entire system will break down.”
In layman’s terms, the attack would shut off part of the electric grid and make it difficult to get it up and running again.
This was not the first time that BlackEnergy was used for a cyberattack in Ukraine, and it remains unclear what its role was in the attack on its power grid. It was previously used in 2014 in a series of cyber-espionage attacks against government-related targets in Ukraine and in November 2015 to attack news media companies during the Ukrainian local elections, destroying video materials and documents.
Because of this history, many were quick to allege that Russia, or a Russian-sponsored group, was behind the attacks. But others were skeptical, especially after news broke in January of yet another cyberattack using a different form of malware on several electricity distribution companies in Ukraine.
“The January attack used something that is quite an unprofessional type of malware,” says Robert Lipovsky, senior malware researcher at ESET, an Internet security firm. “It was based on a freely available, open-source backdoor, which was modified. This is something that you can find on the Internet, take the source code, change it a little bit, and then use. That’s not something you would expect from a well-funded, professional, state-sponsored malware operator.”
The January attacks were carried out using a method similar to the December attacks: a phishing e-mail that contained a malicious Excel attachment. Within the e-mail was a link to an image file (a .PNG) on a remote server, so attackers would get a notification that the e-mail had been delivered and opened by the intended recipient, according to Lipovsky’s research.
Once opened, the e-mail fooled recipients into downloading malware that could execute shell-commands and a backdoor that allowed the attackers access to the network.
This type of attack makes Lipovsky question who was behind the attacks, because there doesn’t seem to be a clear motive.
Previous motives for using BlackEnergy “have been mostly cyber espionage, so trying to get their hands on private data,” he explains. “This time they also wanted to do sabotage on top of just espionage, but there are no clear pointers or clues that would suggest who’s behind this.”
While researchers and investigators continue to attempt to identify those responsible, others are focusing on what can be done to prevent the next attack from happening. Lipovsky says critical infrastructure operators should follow the typical cybersecurity advice—patch their systems, educate employees on social engineering attacks, and use security software and anti-malware solutions.
But one of the most critical steps electrical departments can take is to air gap critical systems. “In other words, do not have a computer that controls or programs industrial systems connected to the same network that’s connected to the Internet, because that opens a very big vulnerability—a potential vector of an attacker getting in,” Lipovsky says.
The North American Electric Reliability Corporation (NERC) already has standards in place that require industrial control systems to be separate from corporate networks in Canada, the United States, and Mexico.
This makes the likelihood of an attack on the U.S. electric system remote, says Allan Wick, CPP, PCI, PSP, CSO for Tri-State Generation & Transmission. Additionally, it’s common for electrical industrial control systems to be protected by firewalls, intrusion detection systems, and port-blocking systems, he adds.
For instance, Wick says Tri-State has multiple stages of supervisory control and data acquisition network islanding. This means that its SCADA system is physically disconnected from virtual private networks (VPNs), the corporate network, the regional electric entity operating network, and the backup control center.
The system is constructed this way “so that we can totally be separated from anything other than talking between the source of the electricity and the destination,” he explains.
And research from the U.S. Department of Homeland Security’s Office of Intelligence and Analysis backs Wick’s contention. Following the attacks in Ukraine, the office released an intelligence assessment that found that “the threat of a damaging or disruptive cyberattack against the U.S. energy sector is low.”
The assessment was compiled by the U.S. Computer Emergency Readiness Team (ICS-CERT) and the intelligence community between 2011 and 2016. It explained that advanced persistent threat (APT) nation-state cyber actors are targeting U.S. energy sector enterprise networks primarily to conduct cyber espionage.
“The APT activity directed against sector industrial control system networks probably is focused on acquiring and maintaining persistent access to facilitate the introduction of malware, and likely is part of nation-state contingency planning that would only be implemented to conduct a damaging or disruptive attack in the event of hostilities with the United States,” the assessment said.
While North America may be in a good position to defend itself from a cyberattack on its electric grids, the same cannot be said of other regions of the globe. Neither Wick nor McCreight, who is the chair of the ASIS International Information Technology Security Council, were aware of other regional standards that require industrial control systems to be separated from corporate IT networks.
And Wick says other critical infrastructure sectors in North America—like water systems—may be vulnerable to the types of attacks that hit Ukraine because they do not have the same standards as the energy sector.
“Most water systems are local; they’re not a huge integrated system like the bulk electric grid is,” Wick explains, adding that the lack of standards in this area could be because of the “culture, the lack of large-scale incidents, and the small distribution” compared to the power system.
However, just because the standards don’t require it doesn’t mean that companies and critical infrastructure shouldn’t move towards a more secure cybersecurity posture. Ukraine—and Stuxnet before it—proved that these types of attacks to knock out critical infrastructure are possible.
Companies and critical infrastructure operators need to assume that their systems are going to be breached and take the steps to ensure that they can quickly detect, mitigate, and recover from the attack, McCreight says.
“We are going to get hacked. Somewhere along the line we’re going to be breached,” he adds. “And it’s how quickly we can find it, how quickly we can recover from it that’s going to make the difference.”