Ukraine Power Outage Demonstrates Infrastructure Vulnerability

The night before Christmas Eve, the Ivano-Frankivsk region in western Ukraine, an area the size of Connecticut, experienced a power blackout due to what was later identified as a cyberattack. The attack was said to have targeted the power company Prykarpattyaoblenergo, and affected at least 80,000 people, which is approximately half of the region’s population.

Check Point recently released a report on the vulnerability of critical infrastructure, and the attack on the Ukrainian power grid shows just how real that threat is. This issue has often been discussed by experts in the past, but up until now these discussions had no public realization.

The attack is said to be linked to the BlackEnergy malware, which appeared in attacks as early as 2007. The hacker organization believed to be using this malware is Sandworm, an APT group allegedly connected to Russian cybercriminals. The team has targeted electric companies in the past in order to steal data, but never in order to cause a blackout.

Why is this attack significant?

This attack is the first proven cyberattack to successfully damage electric utilities. This incident demonstrates the potential implications of an attack on critical infrastructure. It is crucial for all countries to provide adequate protection for their infrastructure due to the significant risk of this attack being replicated by hackers elsewhere around the world.

The potential damage these types of attacks pose is unlimited, and can affect every aspect of the daily life of each and every citizen. Imagine an attack that would shut down a whole country’s water supply, take over a nuclear reactor or derail trains full of passengers. The consequences could be catastrophic.


How the attack was executed

According to ESET the malware managed to infiltrate through a spear phishing email attack. As published by CyS Centrum, emails disguised to look as if they were sent from the Ukrainian parliament were sent to the company. The emails contained a PowerPoint file that had a macro command embedded in it. Once the file was opened, users were tricked into allowing the macro command to be executed, enabling the malware to infect the computers.

One possible way to combat this sort of attack, aside of being very careful and avoiding suspicious emails, is by using the SandBlast Threat Extraction capability, which eliminates macro commands in incoming files. This measure of protection can tip the scales in avoiding spear phishing attack, which commonly deceive users.

Once inside the network, the BlackEnergy Trojan spread and managed to eventually cause the blackout. Two key components of the attack details published by ESET are worth a further look:

  1. SSH backdoor – SSH servers are a type of software that can accept connections from remote computers. The attackers ran an SSH server containing a backdoor, enabling them to return to the network as they pleased by entering a password embedded in the server’s binaries.
  1. KillDisc component – this is not a new component, and was used in order to destroy data from files in previous BlackEnergy attacks. However, according to ESET this is potentially the component that caused the blackout, since it contains commands to terminate two unusual commands. At least one of these commands might be connected to the ICS (Industrial Control System) that controls the power grid.

Be that as it may, it is possible that we are only seeing a part of the kill chain. Some researchers say that the KillDisc component alone is not likely to have been able to cause the blackout. The KillDisc component also erases windows logs, allowing the attacker to hide additional processes executed that might have been the real cause for the blackout.

Finding attack vectors against infrastructure and other IoT targets is getting much easier today, using sites such as Shodan – a scanner which can find systems connected to the Internet, including critical infrastructure. The scanner can provide information regarding the physical location of the device, an IP address and in some cases even what software is running on it.

Check Point has recently released a threat alert regarding this issue, and provides IPS protections against such threats.

In the case of the recent attack –pictures of the equipment from inside the power grid were published online. It remains unclear if the pictures are connected to the attack, however, this kind of intelligence could be very valuable for an attacker.

This attack highlights the vulnerability of critical infrastructure, and is likely to be imitated in the future. The potential consequences of this type of threat require companies and countries to improve their protection of critical infrastructure as soon as possible. Check Point has recently conducted a test comparing several vendors that provide such protection. We encourage you to view the results of this test.