Threat Intelligence
1/14/2016
01:10 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

More Signs Point To Cyberattack Behind Ukraine Power Outage

'KillDisk' and BlackEnergy were not the culprits behind the power outage -- there's still a missing link in the chain of attack.

MIAMI, FL -- S4x16 -- There's still no "smoking gun" malware, but security researchers here today said that based on their latest analysis, a cyberattack indeed caused the recent power outage in the Ukraine. It was either via a piece of malware that has not yet been found or publicized, or the attackers achieved the shutdown via remote access to control systems, they said.

John Hultquist and Sean McBride of iSIGHT Partners here today presented their latest findings on the December 23 attack that knocked out power in western Ukraine and spurred a wave of speculation and hot debate over whether the attack was the second confirmed cyberattack on a critical infrastructure system, with Stuxnet as the first.

"Did a cyberattack cause a power outage it the Ukraine? My answer is 'yes,'" McBride said in the presentation. But both Hultquist and McBride note that their conclusion is based on what they know, and there's still plenty that we don't know.

The power blackout on December 23 in western Ukraine has split security experts over whether malware indeed was used to knock the grid there offline. Ukraine's SBU state security service called out Russian hackers as the culprit, but security researchers have debated whether the malware involved, the notorious BlackEnergy backdoor, could have been repurposed or packaged with other malware to pull of the second confirmed outage via cyberattack.

iSIGHT in its latest research points to the denial-of-service attack on the Ukrainian utilities telecommunications systems, which hampered response and triage after the outage. Some 27 power distribution operation centers were hit in the attack, which affected three utilities, they said. And McBride confirmed that KillDisk, the disk-wiping malware used alongside BlackEnergy in the attack, did not cause the power outage. KillDisk erased files on control and non-control systems, forcing the utilities to go into manual-control mode.

"The key reason I believe [it was a cyberattack] is the scale of the outage: geographically dispersed regions and dozens of substations affected," McBride said. A physical attack to wreak such damage, would have required "quite a few people" across those regions to pull it off, he said.

ICS/SCADA security experts here were intrigued by iSIGHT's latest analysis but remain perplexed by the lack of a smoking gun to confirm a cyberattack. Was it truly a custom strain of malware that executed the outage? A remote access attack that gave them access to a control system? Or malicious insiders onsite?

"We still don't know" if a cyberattack caused the attack, says Ralph Langner of The Langner Group. "I would think the Ukraine would be more than happy if a company tells the world this was a cyber physical attack from Russia."

Langner says a remote attack--versus malware--would not be so simple, however: "If you have access to an HMI [human machine interface], I don't believe you would be able to turn down every single substation. There must be protective logic" in those systems, he says.

In an interview, iSIGHT's Hultquist said the attackers also could have jumped the air gap of the critical systems at the distribution centers. There were sophisticated spear phishing emails used in the attack, which doesn't fit with a malicious insider, he notes.

It's the DoS attack on the telecom systems that makes malware a more realistic culprit in the outage, says Robert M. Lee, a SANS instructor and ICS/SCADA expert. "The piece I would be cautious about taking there is that's a causal relationship between BlackEnergy 3 and a power outage," Lee says.

Lee says the coordinated nature of the attack is telling:  "It was a coordinated takedown of those facilities," so an onsite malicious insider theory doesn't make sense, he says.

"If you're doing it onsite, you don't need a remote adversary DDoSing the phones. The DDoS gives a lot of credence that BlackEnergy and a remote adversary had a part in that," Lee says. Between the DDoS and KillDisk wiping the machines, the Ukrainian utilities were blind to the blackout when it first occurred, he says.

"There are many things we don't know yet. We don't know how KillDisk made it to its targets. We don't know what code initiated the outages," McBride said. "We don't know what the adversary's objectives were."

What is clear is that energy is a key element of the Ukraine-Russia conflict, he said. Some 80% of natural gas to the Ukraine comes from Russia, and the Ukraine supplies 70% of power to Crimea. And Russia has an interest in the natural gas reserves off the coast of Crimea, he said.

In many ways, the writing was on the wall given the ongoing conflict, he said.

Researchers at ESET initially posed the theory that BlackEnergy may have been used in the attack. But earlier this week, the security firm released more details to dispel what it called "misinterpretation" and "speculation" in the wake of its research on the malware in the Ukraine incident.

“Analyzing the malware, we’ve shed some light on an operation against the Ukrainian energy sector but what we know is only a small piece of the puzzle,” says Robert Lipovsky, a senior malware researcher at ESET. “Many questions have been left unanswered.”

Specifically, media reports that attributed the malware to the outage itself went too far, he says. "Unfortunately, things are not clear enough to reach such simple conclusions. But it is true that the BlackEnergy Trojan, together with an SSH backdoor and the destructive KillDisk component, which were all detected in several electricity distribution companies in Ukraine, are a dangerous set of malicious tools theoretically capable of giving attackers remote access to a company’s network, shutting down critical systems and, by wiping their data, making it harder to get them up and running again," he says.

 

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
8 Key Building Blocks for Enterprise Network Defense
Networks are changing rapidly -- and so are strategies for protecting them. This Tech Digest looks at the fundamentals for the next-gen environment.
Flash Poll
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-7445
Published: 2015-10-15
The Direct Rendering Manager (DRM) subsystem in the Linux kernel through 4.x mishandles requests for Graphics Execution Manager (GEM) objects, which allows context-dependent attackers to cause a denial of service (memory consumption) via an application that processes graphics data, as demonstrated b...

CVE-2015-4948
Published: 2015-10-15
netstat in IBM AIX 5.3, 6.1, and 7.1 and VIOS 2.2.x, when a fibre channel adapter is used, allows local users to gain privileges via unspecified vectors.

CVE-2015-5660
Published: 2015-10-15
Cross-site request forgery (CSRF) vulnerability in eXtplorer before 2.1.8 allows remote attackers to hijack the authentication of arbitrary users for requests that execute PHP code.

CVE-2015-6003
Published: 2015-10-15
Directory traversal vulnerability in QNAP QTS before 4.1.4 build 0910 and 4.2.x before 4.2.0 RC2 build 0910, when AFP is enabled, allows remote attackers to read or write to arbitrary files by leveraging access to an OS X (1) user or (2) guest account.

CVE-2015-6333
Published: 2015-10-15
Cisco Application Policy Infrastructure Controller (APIC) 1.1j allows local users to gain privileges via vectors involving addition of an SSH key, aka Bug ID CSCuw46076.

Dark Reading Radio
Archived Dark Reading Radio
In this episode of Dark Reading Radio, veteran CISOs will share their experience and insight into how organizations can get the best bang for their security buck.