Ukraine power outage was a cyberattack -- U.S. doesn’t finger Russia (officially)

Ukraine attack on ICS / SCADA infrastructure may have been engineered by Russia, but nobody’s saying so on the record

Ukraine ICS SCADA
Credit: Kremlin.ru (cc:by)

A late-December power outage in Ukraine was caused by attackers wielding malware weapons, says a U.S. report. Unofficial briefings point the finger at Russia, as do official statements from Ukraine, but could the same happen here?

Spear-phishing seems to have been the vector for distributing the “BlackEnergy” malware. That allowed attackers to control the grid’s industrial control systems (ICS) and supervisory control and data acquisition (SCADA) components. In IT Blogwatch, bloggers fear for their own nations’ infrastructure.

curated these bloggy bits for your entertainment.


What’s the craic? David E. Sanger reports Utilities Cautioned About Potential for a Cyberattack After Ukraine’s:

Investigators concluded that the attack in Ukraine...may well have been the first power blackout triggered by a cyberattack. ... Attackers conducted “extensive reconnaissance”...stole the credentials of...operators and learned how to switch off the breakers.

Ukrainian officials have blamed the Russians. ... “They could be right,” said one senior administration official. “But...the attackers went to some lengths to hide their tracks.”

American intelligence officials have been intensely focused on [whether] the attack was engineered by the Russian military. ... “This appears to be message-sending,” said one senior administration official...who requested anonymity.

The malware designed for the Ukrainian power grid was directed at “industrial control systems.” ... The most famous such attack was the Stuxnet worm, which destroyed the centrifuges that enriched uranium...in Iran...conducted by the United States and Israel.


Could it happen here? Lee Ferran investigates—Hackers Caused Mass Blackout in Ukraine:

U.S. government cyber security experts officially declared that hackers are to blame. [It’s] the latest significant attack on vulnerable “critical infrastructure.”

Private security firms have previously reported [it] was caused by hackers wielding malware including code known as BlackEnergy and KillDisk. ... Kyle Wilhoit, a Senior Threat Researcher at...Trend Micro...said he believes...BlackEnergy was modulated and used to carry out the attack, and then the hackers attempted to cover their tracks with...KillDisk. [Also that] a coal mining company and a railroad company in Ukraine were also among the targets.

Wilhoit [said] that while the hack would’ve been “not incredibly difficult”...the relatively decentralized nature of America’s power distribution makes such an operation more difficult. [But] U.S. officials and experts have been warning about the vulnerability of American “critical infrastructure” for decades.


But how did the hackers steal the credentials? Zack Whittaker explains—US report confirms Ukraine power outage caused by cyberattack:

The cyberattack, which left more than 225,000 customers in the dark...in December...was caused by remote intrusions. ... Ukraine's energy ministry also suggested...the attack was linked to hackers...in Russia, falling short of outright accusing the Kremlin. ... Homeland Security did not speculate on who was behind the attack.

BlackEnergy malware was found...which was delivered through specifically-targeted [email with] Microsoft Office attachments. [Most] vulnerabilities in Microsoft Office can be mitigated by removing administrative access.


How could you mitigate such an attack on your ICS? These anonymous ICS-CERT authors offer this advice—Cyber-Attack Against Ukrainian Critical Infrastructure:

The...most important step in cybersecurity is implementation of...best practices. [And] organizations should develop and exercise contingency plans...in the event that their ICS is breached.

Application Whitelisting (AWL) can detect...malware uploaded by malicious actors. The static nature of [ICS] systems...make these ideal candidates to run AWL.

Organizations should isolate ICS networks from any untrusted networks. ... If one-way communication can accomplish a task, use optical separation (“data diode”).


Worring, eh? Amanda Vicinanzo agrees—US Government Confirms Cyber Attack Against Ukrainian Critical Infrastructure:

[It] serves as a disturbing reminder of the vulnerability of critical infrastructure, globally and within the United States. ... Experts are growing increasingly fearful that critical infrastructure, especially...SCADA systems, could be targeted in the US.

Concerns over an attack...in the US are far from unwarranted. ... In November 2014...a sophisticated malware campaign using a variant of...BlackEnergy...compromised numerous [ICS] environments in the US.

If unleashed, [it] could have shut down important elements of the nation’s critical infrastructure. ... It is crucial that US government and industry use this opportunity to...ensure the nation is adequately prepared to prepare for and respond to an attack.


How did it work? Sonal Patel has more detail—How Attackers Prompted Ukraine Blackouts:

The attacks at each company occurred within 30 minutes of each other and affected multiple...facilities. During the attacks, several [attackers] remotely operated the breakers.

Significantly, the attackers also rendered Serial-to-Ethernet devices...inoperable by corrupting their firmware. [The] report suggests it is not known whether [BlackEnergy] played a role in the attacks.


You have been reading IT Blogwatch by , who curates the best bloggy bits, finest forums, and weirdest websites… so you don’t have to. Catch the key commentary from around the Web every morning. Hatemail may be directed to @RiCHi or itbw@richi.uk.
Opinions expressed may not represent those of Computerworld. Ask your doctor before reading. Your mileage may vary. E&OE.

To express your thoughts on Computerworld content, visit Computerworld's Facebook page, LinkedIn page and Twitter stream.
From CIO: 8 Free Online Courses to Grow Your Tech Skills
Shop Tech Products at Amazon
Notice to our Readers
We're now using social media to take your comments and feedback. Learn more about this here.