Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

1/10/2017
06:30 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
100%
0%

Latest Ukraine Blackout Tied To 2015 Cyberattackers

Broad cyberattack campaign hitting finance, energy, transporation in Ukraine were meant to disrupt but not cause major damage, researchers say.

S4x17 CONFERENCE -- Miami, Fla.-- A wave of fresh cyberattacks against power substations, defense, finance, and port authority systems in Ukraine last month appear to be the handiwork of the same attackers who in December 2015 broke in and took control of industrial control systems at three regional power firms in that nation and shut off the lights, researchers said here today.

A pair of researchers from Ukraine confirmed that a second power outage on Dec. 16, 2016, in the nation also was the result of a cyberattack. Ukrainian officials have identified Russian hackers as the perpetrators, and Ukraine President Petro Poroshenko recently revealed that his nation had suffered 6,500 cyberattacks at the hands of Russia in the past two months.

But unlike the 2015 cyberattack that crippled some 27 power distribution operation centers across the country and affected three utilities in western Ukraine, the December 2016 attack hit the Pivnichna remote power transmission facility and shut down the remote terminal units (RTUs) that control circuit breakers, causing a power outage for about an hour.

Confirmation of yet another cyberattack campaign against the Ukraine comes at a time when Russian nation-state hacking is a front-burner concern in the US and Western world, especially with the US intelligence community's recent report concluding that Russian president Vladimir Putin directed a wide-ranging campaign to influence the outcome of the 2016 US presidential campaign in favor of President-Elect Donald Trump. US officials say Russia employed cyber espionage attacks against policy groups, US primary campaigns, and the Democratic National Committee (DNC) in 2015, as well as propaganda to influence public opinion.

Marina Krotofil, a security researcher for Honeywell Industrial Cyber Security Labs, who today presented the newest findings on the Ukraine hacks, said the attackers appear to be using Ukraine "as a training ground for R&D" - basically a way to hone their attacks on critical infrastructure attacks in general.

She said in an interview that this testbed-type approach against Ukraine is considered by experts as a "standard practice" by Russian hackers for testing out their tools and attacks.

This recent campaign worries some US security experts. "The 'red lines' that conventional wisdom taught us would prevent disruptive or destructive attacks in critical infrastructure are dimming, if not gone," says Steve Ward, a senior director at Claroty. "With the 2015 Ukraine incident and the fact that no apparent repercussions followed, it is not surprising to be at the point where a follow-up attack has been confirmed … We should be very concerned with the potential of such attacks in America," Ward says.

Honeywell's Krotofil says the latest attacks began on Dec. 6 and lasted until Dec. 20, with each target getting hit one-by-one, via a combination of remote exploits and websites crumbling under distributed denial-of-service attacks.

With the Ukraine rail system's server taken offline by the attacks, travelers were unable to purchase train tickets, and cargo shipments also were interrupted, she says.

She said the attackers didn't appear to intend to wreak major damage on Ukraine's infrastructure, however. "It's hypothesized that this hacking campaign was to sabotage normal operations in Ukraine to cause disorganization and distrust," she said. "The goal was to destabilize the economy and political situation."

The attackers used many of the same tools that they deployed in the 2015 power grid blackout -- including BlackEnergy framework tools and KillDisk. "The attacks [grew] in sophistication," Krotofil said. "They were more organized, with several groups working together like a good orchestra. That was different from" the 2015 attack that appeared to be more disjointed and disorganized, she said.

A spear phish on July 14, 2016, kicked off the first phase of the attacks aimed at a Ukraine bank. The attachment employed malicious macros that checked for sandboxes and hid its activity with obfuscation techniques. The researchers did not confirm the initial attack vector for the electric grid, however.

Via a translater, in a pre-recorded video shown during Krotofil's talk, Oleksii Yasynskyi - head of research for Information Systems Security Partners in Ukraine and a fellow investigator of the Ukraine attacks - said that the attackers were "several cybercriminal groups" working together. Yasynskyi said the groups employed legitimate IT administrative tools to evade detection as they gathered the necessary intelligence about the networks in the reconnaissance phase of the attacks.

They gathered passwords about targeted servers and workstations, for instance, noted Yasynskyi, and they created custom malware for their targets. "The code was written by experts," he said.

Macro Got More Game

The attackers upped their malicious macro game significantly in the 2016 attacks in comparison to the 2015 attack. Case in point: 69% of the code in their macro software was for obfuscation, 30% for duping forensic analysis, and only one percent of the code actually corresponded to the macro's ability to launch malware, according to Yasynskyi.

"In essence, this macro is a sophisticated container for infiltrating and delivering malicious code for actual intrusion by the attackers," he said.

The attackers this time around also put extra effort into making malware analysis as onerous as possible. "It writes itself into certain parts of memory, like a puzzle," he said. "It unwraps only parts it needs at the time.

"This only confirms the theory that this was executed by several teams: infrastructure, instruments to automate the analysis and penetration, and to deliver the malicious code," he said.

The dropper malware, a custom tool called Hancitor, had two different samples, but some 500 software builds during a two-week period, demonstrating the level of software development by the attackers, Krotofil noted.

The attackers also obviously had done the homework in order to wreak havoc on the power grid, such as the inner workings of industrial processes there. "You can't simply get" that information or documents on the Net, Krotofil said.

Interestingly, while it took some four months to investigate the 2015 Ukraine power grid attack, it took Yasynskyi and the other investigators only two weeks to investigate the 2016 attacks. They were able to detect the similar methods and tools in the second attacks based on the research from the previous attacks.

Michael Assante, SANS lead for ICS and SCADA security, in a presentation here today noted that the Ukraine attacks raise new issues for ICS/SCADA operators. "In the case of Ukraine, it opened up a lot of questions" after that 2015 attack about how to engage when such physically disruptive events hit, such as who should identify a cyberattack, how to respond, and what protocol to follow if the attack causes damage.

Related Content:

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 8/10/2020
Pen Testers Who Got Arrested Doing Their Jobs Tell All
Kelly Jackson Higgins, Executive Editor at Dark Reading,  8/5/2020
Researcher Finds New Office Macro Attacks for MacOS
Curtis Franklin Jr., Senior Editor at Dark Reading,  8/7/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Changing Face of Threat Intelligence
The Changing Face of Threat Intelligence
This special report takes a look at how enterprises are using threat intelligence, as well as emerging best practices for integrating threat intel into security operations and incident response. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-16275
PUBLISHED: 2020-08-10
A cross-site scripting (XSS) vulnerability in the Credential Manager component in SAINT Security Suite 8.0 through 9.8.20 could allow arbitrary script to run in the context of a logged-in user when the user clicks on a specially crafted link.
CVE-2020-16276
PUBLISHED: 2020-08-10
An SQL injection vulnerability in the Assets component of SAINT Security Suite 8.0 through 9.8.20 allows a remote, authenticated attacker to gain unauthorized access to the database.
CVE-2020-16277
PUBLISHED: 2020-08-10
An SQL injection vulnerability in the Analytics component of SAINT Security Suite 8.0 through 9.8.20 allows a remote, authenticated attacker to gain unauthorized access to the database.
CVE-2020-16278
PUBLISHED: 2020-08-10
A cross-site scripting (XSS) vulnerability in the Permissions component in SAINT Security Suite 8.0 through 9.8.20 could allow arbitrary script to run in the context of a logged-in user when the user clicks on a specially crafted link.
CVE-2020-15139
PUBLISHED: 2020-08-10
In MyBB before version 1.8.24, the custom MyCode (BBCode) for the visual editor doesn't escape input properly when rendering HTML, resulting in a DOM-based XSS vulnerability. The weakness can be exploited by pointing a victim to a page where the visual editor is active (e.g. as a post or Private Mes...