MIAMI, FL -- S4x16 -- There's still no "smoking gun" malware, but security researchers here today said that based on their latest analysis, a cyberattack indeed caused the recent power outage in the Ukraine. It was either via a piece of malware that has not yet been found or publicized, or the attackers achieved the shutdown via remote access to control systems, they said.
John Hultquist and Sean McBride of iSIGHT Partners here today presented their latest findings on the December 23 attack that knocked out power in western Ukraine and spurred a wave of speculation and hot debate over whether the attack was the second confirmed cyberattack on a critical infrastructure system, with Stuxnet as the first.
"Did a cyberattack cause a power outage it the Ukraine? My answer is 'yes,'" McBride said in the presentation. But both Hultquist and McBride note that their conclusion is based on what they know, and there's still plenty that we don't know.
The power blackout on December 23 in western Ukraine has split security experts over whether malware indeed was used to knock the grid there offline. Ukraine's SBU state security service called out Russian hackers as the culprit, but security researchers have debated whether the malware involved, the notorious BlackEnergy backdoor, could have been repurposed or packaged with other malware to pull of the second confirmed outage via cyberattack.
iSIGHT in its latest research points to the denial-of-service attack on the Ukrainian utilities telecommunications systems, which hampered response and triage after the outage. Some 27 power distribution operation centers were hit in the attack, which affected three utilities, they said. And McBride confirmed that KillDisk, the disk-wiping malware used alongside BlackEnergy in the attack, did not cause the power outage. KillDisk erased files on control and non-control systems, forcing the utilities to go into manual-control mode.
"The key reason I believe [it was a cyberattack] is the scale of the outage: geographically dispersed regions and dozens of substations affected," McBride said. A physical attack to wreak such damage, would have required "quite a few people" across those regions to pull it off, he said.
ICS/SCADA security experts here were intrigued by iSIGHT's latest analysis but remain perplexed by the lack of a smoking gun to confirm a cyberattack. Was it truly a custom strain of malware that executed the outage? A remote access attack that gave them access to a control system? Or malicious insiders onsite?
"We still don't know" if a cyberattack caused the attack, says Ralph Langner of The Langner Group. "I would think the Ukraine would be more than happy if a company tells the world this was a cyber physical attack from Russia."
Langner says a remote attack--versus malware--would not be so simple, however: "If you have access to an HMI [human machine interface], I don't believe you would be able to turn down every single substation. There must be protective logic" in those systems, he says.
In an interview, iSIGHT's Hultquist said the attackers also could have jumped the air gap of the critical systems at the distribution centers. There were sophisticated spear phishing emails used in the attack, which doesn't fit with a malicious insider, he notes.
It's the DoS attack on the telecom systems that makes malware a more realistic culprit in the outage, says Robert M. Lee, a SANS instructor and ICS/SCADA expert. "The piece I would be cautious about taking there is that's a causal relationship between BlackEnergy 3 and a power outage," Lee says.
Lee says the coordinated nature of the attack is telling: "It was a coordinated takedown of those facilities," so an onsite malicious insider theory doesn't make sense, he says.
"If you're doing it onsite, you don't need a remote adversary DDoSing the phones. The DDoS gives a lot of credence that BlackEnergy and a remote adversary had a part in that," Lee says. Between the DDoS and KillDisk wiping the machines, the Ukrainian utilities were blind to the blackout when it first occurred, he says.
"There are many things we don't know yet. We don't know how KillDisk made it to its targets. We don't know what code initiated the outages," McBride said. "We don't know what the adversary's objectives were."
What is clear is that energy is a key element of the Ukraine-Russia conflict, he said. Some 80% of natural gas to the Ukraine comes from Russia, and the Ukraine supplies 70% of power to Crimea. And Russia has an interest in the natural gas reserves off the coast of Crimea, he said.
In many ways, the writing was on the wall given the ongoing conflict, he said.
Researchers at ESET initially posed the theory that BlackEnergy may have been used in the attack. But earlier this week, the security firm released more details to dispel what it called "misinterpretation" and "speculation" in the wake of its research on the malware in the Ukraine incident.
“Analyzing the malware, we’ve shed some light on an operation against the Ukrainian energy sector but what we know is only a small piece of the puzzle,” says Robert Lipovsky, a senior malware researcher at ESET. “Many questions have been left unanswered.”
Specifically, media reports that attributed the malware to the outage itself went too far, he says. "Unfortunately, things are not clear enough to reach such simple conclusions. But it is true that the BlackEnergy Trojan, together with an SSH backdoor and the destructive KillDisk component, which were all detected in several electricity distribution companies in Ukraine, are a dangerous set of malicious tools theoretically capable of giving attackers remote access to a company’s network, shutting down critical systems and, by wiping their data, making it harder to get them up and running again," he says.