More Signs Point To Cyberattack Behind Ukraine Power Outage

  /     /     /  
Publicated : 22/11/2024   Category : security


More Signs Point To Cyberattack Behind Ukraine Power Outage


KillDisk and BlackEnergy were not the culprits behind the power outage -- theres still a missing link in the chain of attack.



MIAMI, FL -- S4x16 -- Theres still no smoking gun malware, but security researchers here today said that based on their latest analysis, a cyberattack indeed caused the recent power outage in the Ukraine. It was either via a piece of malware that has not yet been found or publicized, or the attackers achieved the shutdown via remote access to control systems, they said.
John Hultquist and Sean McBride of iSIGHT Partners here today presented their latest findings on the December 23 attack that knocked out power in western Ukraine and spurred a wave of speculation and hot debate over whether the attack was the second confirmed cyberattack on a critical infrastructure system, with Stuxnet as the first.
Did a cyberattack cause a power outage it the Ukraine? My answer is yes, McBride said in the presentation. But both Hultquist and McBride note that their conclusion is based on what they know, and theres still plenty that we dont know.
The power blackout on December 23 in western Ukraine 
has split security experts over whether malware indeed was used to knock the grid there offline
. Ukraines SBU state security service called out Russian hackers as the culprit, but security researchers have debated whether the malware involved, the notorious BlackEnergy backdoor, could have been repurposed or packaged with other malware to pull of the second confirmed outage via cyberattack.
iSIGHT in its latest research points to the denial-of-service attack on the Ukrainian utilities telecommunications systems, which hampered response and triage after the outage. Some 27 power distribution operation centers were hit in the attack, which affected three utilities, they said. And McBride confirmed that KillDisk, the disk-wiping malware used alongside BlackEnergy in the attack, did not cause the power outage. KillDisk erased files on control and non-control systems, forcing the utilities to go into manual-control mode.
The key reason I believe [it was a cyberattack] is the scale of the outage: geographically dispersed regions and dozens of substations affected, McBride said. A physical attack to wreak such damage, would have required quite a few people across those regions to pull it off, he said.
ICS/SCADA security experts here were intrigued by iSIGHTs latest analysis but remain perplexed by the lack of a smoking gun to confirm a cyberattack. Was it truly a custom strain of malware that executed the outage? A remote access attack that gave them access to a control system? Or malicious insiders onsite?
We still dont know if a cyberattack caused the attack, says Ralph Langner of The Langner Group. I would think the Ukraine would be more than happy if a company tells the world this was a cyber physical attack from Russia.
Langner says a remote attack--versus malware--would not be so simple, however: If you have access to an HMI [human machine interface], I dont believe you would be able to turn down every single substation. There must be protective logic in those systems, he says.
In an interview, iSIGHTs Hultquist said the attackers also could have jumped the air gap of the critical systems at the distribution centers. There were sophisticated spear phishing emails used in the attack, which doesnt fit with a malicious insider, he notes.
Its the DoS attack on the telecom systems that makes malware a more realistic culprit in the outage, says Robert M. Lee, a SANS instructor and ICS/SCADA expert. The piece I would be cautious about taking there is thats a causal relationship between BlackEnergy 3 and a power outage, Lee says.
Lee says the coordinated nature of the attack is telling:  It was a coordinated takedown of those facilities, so an onsite malicious insider theory doesnt make sense, he says.
If youre doing it onsite, you dont need a remote adversary DDoSing the phones. The DDoS gives a lot of credence that BlackEnergy and a remote adversary had a part in that, Lee says. Between the DDoS and KillDisk wiping the machines, the Ukrainian utilities were blind to the blackout when it first occurred, he says.
There are many things we dont know yet. We dont know how KillDisk made it to its targets. We dont know what code initiated the outages, McBride said. We dont know what the adversarys objectives were.
What is clear is that energy is a key element of the Ukraine-Russia conflict, he said. Some 80% of natural gas to the Ukraine comes from Russia, and the Ukraine supplies 70% of power to Crimea. And Russia has an interest in the natural gas reserves off the coast of Crimea, he said.
In many ways, the writing was on the wall given the ongoing conflict, he said.
Researchers at ESET initially posed the theory that BlackEnergy may have been used in the attack. But earlier this week, the security firm
released more details
to dispel what it called misinterpretation and speculation in the wake of its research on the malware in the Ukraine incident.
“Analyzing the malware, we’ve shed some light on an operation against the Ukrainian energy sector but what we know is only a small piece of the puzzle,” says Robert Lipovsky, a senior malware researcher at ESET. “Many questions have been left unanswered.”
Specifically, media reports that attributed the malware to the outage itself went too far, he says. Unfortunately, things are not clear enough to reach such simple conclusions. But it is true that the BlackEnergy Trojan, together with an SSH backdoor and the destructive KillDisk component, which were all detected in several electricity distribution companies in Ukraine, are a dangerous set of malicious tools theoretically capable of giving attackers remote access to a company’s network, shutting down critical systems and, by wiping their data, making it harder to get them up and running again, he says.
 

Last News

▸ Researchers create BlackForest to gather, link threat data. ◂
Discovered: 23/12/2024
Category: security

▸ Travel agency fined £150,000 for breaking Data Protection Act. ◂
Discovered: 23/12/2024
Category: security

▸ 7 arrested, 3 more charged in StubHub cyber fraud ring. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
More Signs Point To Cyberattack Behind Ukraine Power Outage