First ever cyber attack on power grid takes down Ukraine network for six hours
03 February 2016
A suspected cyber attack on a Ukrainian power grid has been linked to the Russia, according to US security firm iSight Partners. The six-hour outage on December 23 affected some 80,000 customers of Ukraine's Prykarpattyaoblenergo and Kyivoblenergo utilities after 30 substations went offline. The utility's operators were able to recover by switching to manual operations, and disconnecting infected workstations and servers from the grid.
John Hultquist, director of cyber espionage analysis at iSight Partners, said they had linked Russia’s Sandworm Team to the incident, principally based on BlackEnergy 3, the malware that has become their calling card.
"We have analysed the forensic evidence we have been able to obtain from the region, contextualising it within our knowledge of cyber espionage actors. Many details of the event remain unknown and, given the nature of the incident, especially the use of destructive malware, we do not anticipate every detail will be exposed," Hultquist said.
iSight has been tracking the Sandworm group for over a year, disclosing in October 2014 that it had been targeting Ukrainian government officials and members of the EU and NATO. Shortly after these findings, security experts at Trend Micro reported that the group was also targeting SCADA systems that control and monitor industrial automation, according to the V3.co.uk technology website.
Ukraine's SBU state security service had already blamed Russia for the attack. This is difficult to prove, but the evidence points towards the involvement of a nation state as energy infrastructure targets do not offer the payoffs that criminal groups usually look for.
Tensions between Ukraine and Russia have been high since Russia annexed Crimea in 2014.
After detailed analysis, on January 9 US cybersecurity group SANS ICS provided the first detailed analysis of the cause of the outage.
Initially, malware was installed to prevent technicians from detecting the attack, after which breakers were switched remotely to cut power. After this, the attackers crippled the utility's customer service centre by flooding it with phone calls to prevent customers from alerting the utility that power was down.
"This was a multi-pronged attack against multiple facilities. It was highly coordinated with very professional logistics," said Robert Lee, a former US Air Force cyber warfare operations officer who helped compile the report for SANS ICS.
Experts said the incident was the first known power outage caused by a cyber attack. Reuters said there was strong interest in this event because of its ramifications for other utilities worldwide, and particularly the vulnerability of their industrial control systems.
"A coordinated cyber attack consisting of multiple elements is one of the expected hazards (electric utilities) may face," SANS ICS Director Michael Assante said in a blog.
"We need to learn and prepare ourselves to detect, respond, and restore from such events in the future," said Assante, former chief security officer of the quasi-governmental North American Electric Reliability Corp.
In December 2014, an expert report concluded an explosion on the Baku-Tbilisi-Ceyhan (BTC) oil pipeline at Refahiye in eastern Turkey in August 2008 was the result of a cyber attack, most likely by the Russian state. The blast had initially been blamed on an attack by Kurdish militants.
Investigators working with the Turkish, British, Azerbaijani, and other governments on the BTC incident examined why the security control systems designed to detect oil leaks or fires failed to work moments before the explosion. Investigators eventually discovered that hackers infiltrated the system via the surveillance cameras, the communications software of which was used by the hackers to gain entry into the system’s internal network.
Once inside, the hackers probably manipulated the pipeline pressure by hacking into small industrial computers at the valve stations, thus circumventing the central control room, increasing the pressure until the explosion took place.
Some sixty hours of pipeline surveillance footage were erased by the hackers, but one infrared camera operating on an independent network captured images of two men with laptops near the pipeline days before the explosion. The men wore black military-style uniforms without insignias, similar to those worn by troops considered to have been working on behalf of Russia in Crimea during Russia’s invasion of Ukraine in 2014.