Threat Intelligence

1/14/2016
01:10 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

More Signs Point To Cyberattack Behind Ukraine Power Outage

'KillDisk' and BlackEnergy were not the culprits behind the power outage -- there's still a missing link in the chain of attack.

MIAMI, FL -- S4x16 -- There's still no "smoking gun" malware, but security researchers here today said that based on their latest analysis, a cyberattack indeed caused the recent power outage in the Ukraine. It was either via a piece of malware that has not yet been found or publicized, or the attackers achieved the shutdown via remote access to control systems, they said.

John Hultquist and Sean McBride of iSIGHT Partners here today presented their latest findings on the December 23 attack that knocked out power in western Ukraine and spurred a wave of speculation and hot debate over whether the attack was the second confirmed cyberattack on a critical infrastructure system, with Stuxnet as the first.

"Did a cyberattack cause a power outage it the Ukraine? My answer is 'yes,'" McBride said in the presentation. But both Hultquist and McBride note that their conclusion is based on what they know, and there's still plenty that we don't know.

The power blackout on December 23 in western Ukraine has split security experts over whether malware indeed was used to knock the grid there offline. Ukraine's SBU state security service called out Russian hackers as the culprit, but security researchers have debated whether the malware involved, the notorious BlackEnergy backdoor, could have been repurposed or packaged with other malware to pull of the second confirmed outage via cyberattack.

iSIGHT in its latest research points to the denial-of-service attack on the Ukrainian utilities telecommunications systems, which hampered response and triage after the outage. Some 27 power distribution operation centers were hit in the attack, which affected three utilities, they said. And McBride confirmed that KillDisk, the disk-wiping malware used alongside BlackEnergy in the attack, did not cause the power outage. KillDisk erased files on control and non-control systems, forcing the utilities to go into manual-control mode.

"The key reason I believe [it was a cyberattack] is the scale of the outage: geographically dispersed regions and dozens of substations affected," McBride said. A physical attack to wreak such damage, would have required "quite a few people" across those regions to pull it off, he said.

ICS/SCADA security experts here were intrigued by iSIGHT's latest analysis but remain perplexed by the lack of a smoking gun to confirm a cyberattack. Was it truly a custom strain of malware that executed the outage? A remote access attack that gave them access to a control system? Or malicious insiders onsite?

"We still don't know" if a cyberattack caused the attack, says Ralph Langner of The Langner Group. "I would think the Ukraine would be more than happy if a company tells the world this was a cyber physical attack from Russia."

Langner says a remote attack--versus malware--would not be so simple, however: "If you have access to an HMI [human machine interface], I don't believe you would be able to turn down every single substation. There must be protective logic" in those systems, he says.

In an interview, iSIGHT's Hultquist said the attackers also could have jumped the air gap of the critical systems at the distribution centers. There were sophisticated spear phishing emails used in the attack, which doesn't fit with a malicious insider, he notes.

It's the DoS attack on the telecom systems that makes malware a more realistic culprit in the outage, says Robert M. Lee, a SANS instructor and ICS/SCADA expert. "The piece I would be cautious about taking there is that's a causal relationship between BlackEnergy 3 and a power outage," Lee says.

Lee says the coordinated nature of the attack is telling:  "It was a coordinated takedown of those facilities," so an onsite malicious insider theory doesn't make sense, he says.

"If you're doing it onsite, you don't need a remote adversary DDoSing the phones. The DDoS gives a lot of credence that BlackEnergy and a remote adversary had a part in that," Lee says. Between the DDoS and KillDisk wiping the machines, the Ukrainian utilities were blind to the blackout when it first occurred, he says.

"There are many things we don't know yet. We don't know how KillDisk made it to its targets. We don't know what code initiated the outages," McBride said. "We don't know what the adversary's objectives were."

What is clear is that energy is a key element of the Ukraine-Russia conflict, he said. Some 80% of natural gas to the Ukraine comes from Russia, and the Ukraine supplies 70% of power to Crimea. And Russia has an interest in the natural gas reserves off the coast of Crimea, he said.

In many ways, the writing was on the wall given the ongoing conflict, he said.

Researchers at ESET initially posed the theory that BlackEnergy may have been used in the attack. But earlier this week, the security firm released more details to dispel what it called "misinterpretation" and "speculation" in the wake of its research on the malware in the Ukraine incident.

“Analyzing the malware, we’ve shed some light on an operation against the Ukrainian energy sector but what we know is only a small piece of the puzzle,” says Robert Lipovsky, a senior malware researcher at ESET. “Many questions have been left unanswered.”

Specifically, media reports that attributed the malware to the outage itself went too far, he says. "Unfortunately, things are not clear enough to reach such simple conclusions. But it is true that the BlackEnergy Trojan, together with an SSH backdoor and the destructive KillDisk component, which were all detected in several electricity distribution companies in Ukraine, are a dangerous set of malicious tools theoretically capable of giving attackers remote access to a company’s network, shutting down critical systems and, by wiping their data, making it harder to get them up and running again," he says.

 

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Devastating Cyberattack on Email Provider Destroys 18 Years of Data
Jai Vijayan, Freelance writer,  2/12/2019
Up to 100,000 Reported Affected in Landmark White Data Breach
Kelly Sheridan, Staff Editor, Dark Reading,  2/12/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
5 Emerging Cyber Threats to Watch for in 2019
Online attackers are constantly developing new, innovative ways to break into the enterprise. This Dark Reading Tech Digest gives an in-depth look at five emerging attack trends and exploits your security team should look out for, along with helpful recommendations on how you can prevent your organization from falling victim.
Flash Poll
How Enterprises Are Attacking the Cybersecurity Problem
How Enterprises Are Attacking the Cybersecurity Problem
Data breach fears and the need to comply with regulations such as GDPR are two major drivers increased spending on security products and technologies. But other factors are contributing to the trend as well. Find out more about how enterprises are attacking the cybersecurity problem by reading our report today.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-8354
PUBLISHED: 2019-02-15
An issue was discovered in SoX 14.4.2. lsx_make_lpf in effect_i_dsp.c has an integer overflow on the result of multiplication fed into malloc. When the buffer is allocated, it is smaller than expected, leading to a heap-based buffer overflow.
CVE-2019-8355
PUBLISHED: 2019-02-15
An issue was discovered in SoX 14.4.2. In xmalloc.h, there is an integer overflow on the result of multiplication fed into the lsx_valloc macro that wraps malloc. When the buffer is allocated, it is smaller than expected, leading to a heap-based buffer overflow in channels_start in remix.c.
CVE-2019-8356
PUBLISHED: 2019-02-15
An issue was discovered in SoX 14.4.2. One of the arguments to bitrv2 in fft4g.c is not guarded, such that it can lead to write access outside of the statically declared array, aka a stack-based buffer overflow.
CVE-2019-8357
PUBLISHED: 2019-02-15
An issue was discovered in SoX 14.4.2. lsx_make_lpf in effect_i_dsp.c allows a NULL pointer dereference.
CVE-2013-2516
PUBLISHED: 2019-02-15
Vulnerability in FileUtils v0.7, Ruby Gem Fileutils <= v0.7 Command Injection vulnerability in user supplied url variable that is passed to the shell.