Cyberattack on Ukraine grid: here’s how it worked and perhaps why it was done


On December 23, 2015, two days before Christmas, the power grid in the Ivano-Frankivsk region of Ukraine went down for a reported six hours, leaving about half the homes in the region with a population of 1.4 million without power, according to the Ukrainian news media outlet TSN.

It reported that the cause of the power outage was a “hacker attack” utilizing a “virus.” Outages were caused when substations – devices that route power and change voltages – were disconnected from the grid, TSN said.

There have been a handful of documented attacks on the power grid and control systems of energy systems, such as oil refineries. But this cyberattack in Ukraine counts as only the second or third to successfully derail power delivery using a software-based attack.

Because of its success, the incident has sent shock waves through cybersecurity circles. How was this attack carried out? And could something similar happen in other countries?

Stuxnet to BlackEnergy

Cyberattacks designed to take out the power grid have been a big concern of security specialists for many years.

Much of the concern has been focused on potential attacks on the control systems, called Supervisory Control and Data Acquisition (SCADA) systems, on which power grids are highly dependent for safe, reliable and secure operation. SCADA systems also provide critical data for operations, automation and remote control.

An analyst looks at code in the malware lab of a cyber security defense lab at the Idaho National LaboratorySecurity experts have been parsing the details of the Ukraine attack to see what exactly caused the outage, how and why.Jim Urquhart/Reuters

Some computer worms have been specifically designed to attack the types of control systems commonly found in power utilities. The most well-known is called Stuxnet, which was used to compromise Iran’s uranium enrichment facilities. But a variety of similar worms have been developed that experts have feared would be used to bring down the power grid.

While the Ukraine outages were reported to involve only one utility, Prykarpattyaoblenergo, evidence of computer malware known as Blackenergy was identified at that utility and two other regional utilities. Samples of the suspect code have since been studied, and various security companies, including iSight Partners, EBET, and SANS-ICS, have verified that it contained elements of the Blackenergy malware.

The BlackEnergy malware is generally associated with a group referred to as Sandworm, which is believed to be based in Russia. It is not clear if Sandworm has an association with the Russian government.

Growing sophistication

BlackEnergy started as a malware system for launching denial-of-service (DoS) attacks, which are designed to prevent legitimate users from accessing a server by any one of a number of possible mechanisms. BlackEnergy has since evolved into an effective system for data exfiltration, or the unauthorized transfer of data from a computer. Such a transfer may be manual and carried out by someone able to access the computer, or it may be automated and carried out through malicious programming placed on the computer being attacked.

About two years ago, a new version of BlackEnergy began to appear with new functions that included stealing passwords, covertly taking screenshots, gaining persistent access to command and control channels and destroying hard drives.

More recently, security software maker ESET found evidence of several new features, including a wiper component dubbed KillDisk. A wiper is software designed to erase portions of a disk and can be used to cover up evidence of an attack. In the Ukraine attack, it is not clear if Blackenergy was used, but some of its components were present; in particular, there is evidence of KillDisk.

Some experts contend that this may not technically have been be a cyberattack. The malware allowed attackers to manually intervene in the grid’s operation; by contrast, the Stuxnet software inflicted damage on industrial machines as was.

Regardless, there was a sophisticated attack that required coordination of different types of malware, which appear to have enabled the attack.

Worries over disabling nuclear plants

The Ukrainian power grid has several attributes that cause some special concern.

The bulk of the power production at any time is provided by nuclear power plants, which provide most of the steady “baseload” power to supply electricity through most of the day.

To meet fluctuations in demand – for instance, increases in power use in the morning as people begin their day – grid operators in Ukraine primarily rely on coal power plants. They do not have many avenues to import power from other countries to meet spikes and dips in demand.

image-20160115-7365-5qp58hSoviet-era nuclear power plants provide the bulk of the baseload, or steady, round-the-clock power, in Ukraine. A major outage could cause problems at these plants, including cooling the reactor cores. paszczak000/flickr, CC BY-SA

This situation means that if an cyberattack causes a power outage, Ukraine grid operators may not be able to respond rapidly enough and export an excess in the flow of power, which would lead to grid instabilities and the need to shut down nuclear reactors.

There is also the issue of cooling of reactors in the event of a power outage. The cooling pumps in the nuclear reactors in Ukraine are dependent on AC power input from the grid, thereby making them susceptible in the event that backup diesel generators cannot be started.

Broader concerns

Could this happen in the West? In short, yes. U.S. utilities use software products from various major vendors which have been the targets of a Sandworm BlackEnergy campaign.

Thus far, there doesn’t seem to have been any financial benefit from the attack. What’s more, when attackers use malware, they expose their methodology, which makes it possible for security people to develop protections for that line of attack. So we have to wonder what they had to gain from the exercise.

If they have nothing to gain in the short term, like robbing banks while the grid is down, did they gain valuable experience for their next, more effective attack?

The ability to hack into a utility to throw switches (breakers) at substations, as was done in Ukraine, opens up the possibility of more serious types of attacks, as was demonstrated by the Aurora Test. In that controlled experiment, circuit breakers associated with a generator were opened and closed using software in a way that resulted in permanent damage to equipment.

While it’s hard to know the attackers’ intentions for sure, it appears likely that the Ukraine power grid was attacked with at least the help of the BlackEnergy malware, increasing the technological potential for disrupting power grids in general.

This incident underscores the need for diligence and the increased effort in cybersecurity that we are seeing in the government and private sectors. The continuously increasing dependence on the power grid is driving the need for cybersecurity to be part of the design of all new systems.


About Author

Leave A Reply