Attacks/Breaches
1/5/2016
02:15 PM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

Questions Remain On How Cyberattack Caused Ukraine Blackout

Could BlackEnergy backdoor with KillDisk really cause a power outage? Some experts think piece of puzzle is missing.

The BlackEnergy malware family might have been involved in the Dec. 23 blackout in Ukraine, according to researchers at ESET, but whether it was or wasn't, questions remain on how the attack occurred. In particular, while ESET contends that this backdoor malware previously used for data theft was repurposed to cause a widespread power outage, not all experts are convinced.

The blackout

The blackout across western Ukraine, including its regional capital, was attributed to a cyberattack on Ukrainian electricity distributor Prykarpattya Oblenergo. Ukraine's SBU state security service officially blamed Russian hackers for the incident, and told Reuters that "the region would have faced a much longer blackout if the malware had executed as the attackers had intended."

“To my knowledge this is the first time an electricity provider has openly claimed to be the victim of a cyber attack that intentionally caused an outage," says Sean McBride, critical infrastructure lead analyst for iSIGHT. "We do have evidence that general malware was implicated in outages previously, but that case does not qualify as intentionally caused. The up-front and relatively immediate claim by the Ukrainian victims, the plausibility of the situation, and the details produced to date make this something new."

BlackEnergy

On Sunday, researchers at ESET published analysis stating that they believed the BlackEnergy malware family was involved in the attack at Prykarpattya Oblenergo; Monday, they wrote that this attack was not an isolated incident, and that the malware was discovered at other electricity companies earlier in 2015. The infection vector used in those attacks appeared to be Microsoft Word macros, delivered via spearphishing messages, some of which purported to be from the Ukrainian parliament. 

BlackEnergy has been used against the energy sector before; Sandworm Team, a Russian hacking group, has used it heavily in the past in attacks on the energy sector in Europe and in the United States since as far back as 2011. However, the primary purpose of the malware at that time, according to Cyber X researchers in a May report, was data theft -- not power outages.

Since that time, however, a new KillDisk component has been added to BlackEnergy, according to ESET. "The main purpose of this component," researchers wrote, "is to do damage to data stored on the computer: it overwrites documents with random data and makes the OS unbootable."

This combo of BlackEnergy with a KillDisk component was first spotted in November, by Ukraine's national CERT, being used against Ukrainian media companies. The sample discovered by ESET in the energy companies, though, "was slightly different."

The newer samples, according to ESET, accept a command line argument to set a time delay, delete Windows Event Logs, "is less focused on deleting documents" than the version that was found in media companies, and "also appears to contain some additional functionality specifically intended to sabotage industrial systems," terminating two non-standard processes called komut.exe and sec_service.exe.

Monday, ESET researchers wrote that "Our analysis of the destructive KillDisk malware detected in several electricity distribution companies in Ukraine indicates that it is theoretically capable of shutting down critical systems." In other words, Black Energy and KillDisk could cause a blackout.

Researchers at iSIGHT say they believe that -- regardless of whether the BlackEnergy sample was used in this particular attack -- that the attackers behind the Ukrainian blackout are Sandworm Team.

Are Black Energy and Kill Disk Enough?

Robert M. Lee, an instructor and course author for SANS, isn't entirely convinced.

Lee says that while he does believe that the BlackEnergy malware and the Sandworm Team threat group were involved in the attack, he does not believe there is enough evidence to prove either of those things yet.

He also does not believe that BlackEnergy, even with the KillDisk component, could cause the outage on its own. As a backdoor, BlackEnergy could give attackers access to key systems, but the destructive capabilities in KillDisk, he says, are mainly for anti-forensics purposes; there's a possibility that they were used for other things but the cleanup is the most predominant theory right now, he says.

Attackers could have used BlackEnergy with KillDisk "to get on and clean up," says Lee, but to cause a blackout they would have needed additional steps. He does not, however, think the attackers needed operational expertise with the ins-and-outs of power plants to carry it out (as some cyber-physical attackers do). It "would likely have been a script or a direct interaction that might open or close breakers,” says Lee. "We don't know. We may never know."

ESET acknowledged in its post Monday that a scenario like this could be possible -- BlackEnergy or the SSH backdoor providing access for a secondary attack, with KillDisk providing clean up -- but persisted that "we can assume with a fairly high amount of certainty that the described toolset was used to cause the power outage" in western Ukraine Dec. 23.

The cost of a major cyberattack on the U.S. electric grid has been estimated at $1 trillion in economic impact and $71.1 billion in insurance claims. In their study published in July, the University of Cambridge Centre for Risk Studies and London-based insurance provider Lloyd's defined the attack as a malware infection of 50 generators in the Northeastern U.S. that made them overload and caused a blackout in 15 states and Washington D.C.

Sara Peters is Senior Editor at Dark Reading and formerly the editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
DNS Threats: What Every Enterprise Should Know
Domain Name System exploits could put your data at risk. Here's some advice on how to avoid them.
Flash Poll
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-7445
Published: 2015-10-15
The Direct Rendering Manager (DRM) subsystem in the Linux kernel through 4.x mishandles requests for Graphics Execution Manager (GEM) objects, which allows context-dependent attackers to cause a denial of service (memory consumption) via an application that processes graphics data, as demonstrated b...

CVE-2015-4948
Published: 2015-10-15
netstat in IBM AIX 5.3, 6.1, and 7.1 and VIOS 2.2.x, when a fibre channel adapter is used, allows local users to gain privileges via unspecified vectors.

CVE-2015-5660
Published: 2015-10-15
Cross-site request forgery (CSRF) vulnerability in eXtplorer before 2.1.8 allows remote attackers to hijack the authentication of arbitrary users for requests that execute PHP code.

CVE-2015-6003
Published: 2015-10-15
Directory traversal vulnerability in QNAP QTS before 4.1.4 build 0910 and 4.2.x before 4.2.0 RC2 build 0910, when AFP is enabled, allows remote attackers to read or write to arbitrary files by leveraging access to an OS X (1) user or (2) guest account.

CVE-2015-6333
Published: 2015-10-15
Cisco Application Policy Infrastructure Controller (APIC) 1.1j allows local users to gain privileges via vectors involving addition of an SSH key, aka Bug ID CSCuw46076.

Dark Reading Radio
Archived Dark Reading Radio

The cybersecurity profession struggles to retain women (figures range from 10 to 20 percent). It's particularly worrisome for an industry with a rapidly growing number of vacant positions.

So why does the shortage of women continue to be worse in security than in other IT sectors? How can men in infosec be better allies for women; and how can women be better allies for one another? What is the industry doing to fix the problem -- what's working, and what isn't?

Is this really a problem at all? Are the low numbers simply an indication that women do not want to be in cybersecurity, and is it possible that more women will never want to be in cybersecurity? How many women would we need to see in the industry to declare success?

Join Dark Reading senior editor Sara Peters and guests Angela Knox of Cloudmark, Barrett Sellers of Arbor Networks, Regina Wallace-Jones of Facebook, Steve Christey Coley of MITRE, and Chris Roosenraad of M3AAWG on Wednesday, July 13 at 1 p.m. Eastern Time to discuss all this and more.