The Crime Scene

Recollection of events (based on ):

As one worker was organizing papers at his desk that day, the cursor on his computer suddenly skittered across the screen of its own accord. He watched as it navigated purposefully toward buttons controlling the circuit breakers at a substation in the region and then clicked on a box to open the breakers and take the substation offline. A dialogue window popped up on screen asking to confirm the action, and the operator stared dumbfounded as the cursor glided to the box and clicked to affirm. Somewhere in a region outside the city he knew that thousands of residents had just lost their lights and heaters.

The operator grabbed his mouse and tried desperately to seize control of the cursor, but it was unresponsive. Then as the cursor moved in the direction of another breaker, the machine suddenly logged him out of the control panel. Although he tried frantically to log back in, the attackers had changed his password preventing him from gaining re-entry. All he could do was stare helplessly at his screen while the ghosts in the machine clicked open one breaker after another, eventually taking about 30 substations offline. The attackers didn’t stop there, however. They also struck two other power distribution centers at the same time, nearly doubling the number of substations taken offline and leaving more than 230,000 residents in the dark. And as if that weren’t enough, they also disabled backup power supplies to two of the three distribution centers, leaving operators themselves stumbling in the dark.

The Infiltration

The attack started with phishing attacks months before the incident. The hackers apparently sent malware via e-mail to employees, allowing them to steal login credentials and shut down substations. The attack took out 200 megawatts of capacity—about 20 percent of the city’s nighttime energy consumption. The compromise involved reconnaissance, mapping of their network, accessing Windows Domain Controllers to steal credentials including VPN access.

Once in, they reconfigured the UPS, wrote malicious firmware to replace the legitimate firmware on serial-to-Ethernet converters at more than a dozen substations (the converters are used to process commands sent from the SCADA network to the substation control systems). Taking out the converters would prevent operators from sending remote commands to re-close breakers once a blackout occurred.

The Attack

Sometime around 3:30 p.m. on December 23 they entered the SCADA networks through the hijacked VPNs and sent commands to disable the UPS systems they had already reconfigured. Then they began to open breakers. But before they did, they launched a telephone denial-of-service attack against customer call centers to prevent customers from calling in to report the outage. TDoS attacks are similar to DDoS attacks that send a flood of data to web servers.

After they had completed all of this, they then used a piece of malware called KillDisk to wipe files from operator stations to render them inoperable as well. KillDisk wipes or overwrites data in essential system files, causing computers to crash. Because it also overwrites the master boot record, the infected computers could not reboot.

The Motivation

Speculation abound that Russia is responsible for the attack due to the new bill being considered in Ukrainian parliament to nationalize privately owned power companies in Ukraine. Some of those companies are owned by a powerful Russian oligarch who has close ties to Putin. It’s possible the attack on the Ukrainian power companies was a message to Ukrainian authorities not to pursue nationalization.

At the end of the day, the attack on the electrical grid in Ukraine and the resulting blackout for over 200,000 customers all started with an infected Word document being opened by an insider.

Other Attacks on Power Infrastructure

• The US government demonstrated an attack in 2007 that showed how hackers could physically destroy a power generator simply by remotely sending 21 lines of malicious code.

• In 2010 Stuxnet was first uncovered specifically targets SCADA systems and was responsible for causing substantial damage to Iran’s nuclear program.

• In fiscal year 2014, there were 79 hacking incidents at energy companies that were investigated by the Computer Emergency Readiness Team, a division of the Department of Homeland Security. There were 145 incidents the previous year.

Lessons Learned

The infiltration in this case was made via Email attachments. The incident could also involve other means such as file transfers via mobile media. The objective is clear, which is the infection of the host to gain footing in the network. Despite the control systems in Ukraine being more secure than some in the US, the infection at host level lacked mitigation.

Possible solution: Application White Listing, which is a method in which any applications that is not trusted, will be prevented from executing on the host in the first place.

Learn about Application White Listing in an upcoming article.