US investigators have officially confirmed that the devastating power outages experienced in Ukraine last December, which affected 225,000 customers, were the result of a sophisticated cyber attack, according to an alert posted last week by the Department of Homeland Security’s (DHS) Industrial Control Systems Cyber Emergency Response Team (ICS-CERT).
According to the February 25 alert, a US interagency team collaborated and shared information with the Ukrainian government to gain more insight into the unscheduled power outages. The team conducted multiple interviews with operations and information technology staff and leadership at six Ukrainian organizations affected by the blackout.
Based on these discussions and interviews, the team determined that the power outages experienced on December 23, 2015 were caused by external cyber attackers.
The interagency team included representatives from the National Cybersecurity and Communications Integration Center, ICS-CERT, US Computer Emergency Readiness Team, Department of Energy, Federal Bureau of Investigation, and the North American Electric Reliability Corporation.
According to ICS-CERT’s report, the power outages were caused by remote cyber intrusions at three regional electric power distribution companies. The attacks on each company occurred within 30 minutes of each other. Other organizations, including those in the critical infrastructure sector, also experienced intrusions, but did not experience operational impacts.
“The cyber attack was reportedly synchronized and coordinated, probably following extensive reconnaissance of the victim networks,” ICS-CERT stated.
During the attack, the hackers remotely switched breakers after likely acquiring legitimate credentials beforehand to facilitate remote access. The companies states that the hackers wiped some systems by executing the KillDisk malware, which erases selected files on targeted systems thereby rendering the systems inoperable.
ICS-CERT’s investigations have confirmed the findings released months ago by multiple private cybersecurity and research firms. For example, US cybersecurity intelligence firm iSight Partners published a blog post in early January stating, “After analyzing the information that has been made available by affected power companies, researchers, and the media it is clear that cyber attacks were directly responsible for power outages in Ukraine.”
iSight’s blog posted continued, “As a community the power industry is dedicated to keeping the lights on. What is now true is that a coordinated cyber attack consisting of multiple elements is one of the expected hazards they may face. We need to learn and prepare ourselves to detect, respond, and restore from such events in the future.”
Although iSight and other security researchers believe “Sandworm Team,” a supposed Russian Advanced Persistent Threat group known for spreading BlackEnergy malware via spear phishing, was behind the attack, DHS did not confirm attribution.
“A cyber attack of this nature is a milestone –although a predictable one,” iSight’s blog post stated. “The aggressive nature of Sandworm Team’s previous activity in Europe and the United States exposed their interest in targeting critical systems and indicated preparation for cyber attack. Targeting of critical entities in Ukraine throughout 2015, during a time of war, further presaged a desire to disrupt infrastructure.”
ICS-CERT said each company reported being infected with BlackEnergy malware, but the role of the malware in the attacks has not been confirmed. ICS-CERT explained, “It is suspected that BlackEnergy may have been used as an initial access vector to acquire legitimate credentials; however, this information is still being evaluated.”
Suspected of being the first successful cyber attack on public utilities, the Ukrainian blackout serves as a disturbing reminder of the vulnerability of critical infrastructure, globally and within the United States. In light of the Ukraine attack, security experts are growing increasingly fearful that critical infrastructure, especially supervisory control and data acquisition (SCADA) systems, could be targeted in the US and elsewhere.
Concerns over an attack on industrial controls systems in the US are far from unwarranted. Homeland Security Today previously reported in November 2014 that a sophisticated malware campaign using a variant of the BlackEnergy malware compromised numerous industrial control systems environments in the US.
The ICS-CERT Bulletin warning of the malware campaign indicated no attempt has been made to activate the malware to “damage, modify or otherwise disrupt” the industrial control process. However, if unleashed, the malware could have shut down important elements of the nation’s critical infrastructure, including pipelines, nuclear power plants, wind turbines, and water treatment plants.
Although investigations have yet to uncover the intent behind the infiltration of US critical infrastructure by BlackEnergy malware, the Siemens system involved was the same software targeted by Stuxnet, the computer worm that ravaged Iran’s Natanz nuclear facility in 2010. Stuxnet has become notorious in the security community as a harbinger of a new era of highly sophisticated state-sponsored attacks on industrial control systems.
On the heels of the Ukrainian blackout, it is crucial that US government and industry use this opportunity to collaborate in exploring new ways to ensure the nation is adequately prepared to prepare for and respond to an attack on industrial controls systems.
How will the US respond when the lights go out here? Only time will tell.