By Rich Heidorn Jr.

Sometime last spring, employees of three Ukrainian electric distribution companies opened Microsoft Office files infected with BlackEnergy 3 malware. It was the beginning of a six-month campaign of reconnaissance and testing that culminated Dec. 23 with an outage that knocked out power to 225,000 customers for several hours.

The story of the cyberattack — the first publicly acknowledged assault to cause power outages — was spelled out in riveting detail in a report released last week by NERC’s Electricity Information Sharing and Analysis Center.

The Security Service of Ukraine blamed the attack on the Russian government. But the report, the product of NERC’s E-ISAC and the SANS Institute, focused on the methods of the attack and not on identifying the attackers.

Based on a summary of publicly available information and analysis performed by the SANS Industrial Control Systems unit, the report contains recommendations for defending grid operations.

The report’s authors express also grudging respect for the expertise of the hackers. “The strongest capability of the attackers was not in their choice of tools or in their expertise, but in their capability to perform long‐term reconnaissance operations required to learn the environment and execute a highly synchronized, multistage, multisite attack,” the report said.

Spear Phishing

The report estimates that the blackouts came more than six months after the initial penetration of the companies, when employees in the administrative or information technology networks of the electric companies opened Microsoft Excel and Word documents from spear phishing emails.

The employees enabled macros in the files that allowed the installation of BlackEnergy 3 malware on the companies’ systems, providing access to command and control Internet Protocol addresses.

After gaining a foothold in the companies’ IT networks, the hackers were able to obtain credentials that gave them access through virtual private networks (VPNs) to the industrial control systems (ICSs). The report said the hackers demonstrated expertise in network-connected infrastructure and in operating the ICSs.

They used “rogue” client software and a “phantom” mouse to highjack the supervisory control and data acquisition (SCADA) systems remotely, taking control of operator workstations and locking the operators out of their systems.

Kyivoblenergo, a regional electricity distributor in Ukraine, was one of the three “oblenergos” (energy companies) attacked. Beginning about 3:35 p.m. on Dec. 23, the hackers took remote control of the company’s SCADA distribution management system, disconnecting seven of its 110-kV substations and 23 35-kV substations for three hours and cutting off power to about 80,000 customers.

Similar attacks on the other two companies, executed within minutes of each other, blacked out an additional 145,000 customers.

Burning the Bridges

KillDisk software was used to erase the master boot record of the companies’ systems and delete some logs, preventing the companies from using the ICSs to restore the system. The attackers also uploaded malicious firmware to serial‐to‐Ethernet gateway devices, ensuring that even if the operator workstations were recovered, remote commands could not be used to bring the substations back online.

“This means that the attacker ‘burned the bridges’ behind them by destroying equipment and wiping devices to prevent automated recovery of the system,” the report said.

The attackers also generated thousands of automated phone calls to the call center of one of the companies — a version of a denial-of-service attack — to hamper communications with customers.

With their computer systems compromised, field staff went to substations and manually reclosed breakers, restoring all of the customers to service in three to six hours.

“It is important to note that there are risks operating your system without the benefit of an automated dispatch control center, and utilities that are more reliant on automation may not be able to restore large portions of their system this way,” said Michael Assante, SANS Institute director of ICSs and one of the report’s authors, in a January blog post. “In many ways, the Ukrainian operators should be commended for their diligence and restoration efforts.”

Missed Opportunities

While the report’s authors found the companies’ restoration admirable, they had plenty to criticize, saying the utilities missed opportunities to detect the intrusion during the months of reconnaissance and testing that preceded the attack.

According to the report, the companies’ firewalls allowed the adversaries to exercise remote control, and the VPNs from their business networks into the ICSs appeared to lack basic two‐factor authentication; think cash machines, which require both a bank card and a personal identification number.

The companies also appeared to lack the capability to continually monitor their ICS networks for increased traffic that could indicate rogue firmware updates, the report said. “In a prolonged attack campaign, there are likely numerous opportunities to detect and defend the targeted system.”

Why the three oblenergos were targeted is unclear, but John Hultquist, director of cyberespionage analysis for computer security firm iSight Partners, said he believes the attacks were the work of hackers aligned with the Russian government. He told The Washington Post that there are links between the malware used in the attacks and a cyberespionage campaign against NATO and Western European governments by a group of Russian hackers iSight named “SandWorm.”

iSight said it has documented SandWorm infiltrations of Ukrainian government computer systems and telecommunications and energy companies since 2014, when Russia annexed Crimea in support of separatists in eastern Ukraine.

Recommendations

The report concludes with a number of recommendations, including eliminating unnecessary VPN pathways and developing “cyber blackstart” capabilities. But it warns that “it is likely that the adversary will modify attack approaches in follow‐on campaigns and these mitigation strategies may not be sufficient.”

Some analysts were initially skeptical of the Ukrainian government’s claims that the outages were the result of cyberattacks. “ICS organizations frequently have reliability issues and incorrectly blame cyber mechanisms such as malware found on the network that is unrelated to the outage,” the report said.

In this case, however, the report’s authors had no doubt about the credibility of the government’s and utilities’ claims. It also ranked the technical information available a 4 on a scale of 5, citing the availability of malware samples, observable ICS impacts, technical indicators and firsthand interviews.

The attack marks “the first time the world has seen this type of attack against [operational technology] systems in a nation’s critical infrastructure,” the report said. “This is an escalation from past destructive attacks that impacted general‐purpose computers and servers (e.g., Saudi Aramco, RasGas, Sands Casino and Sony Pictures).”

The report said there was nothing about Ukraine’s infrastructure that made it uniquely vulnerable.

“The impact of a similar attack may be different in other nations, but the attack methodology, tactics, techniques and procedures observed are employable in infrastructures around the world.”