In December 2015, Ukraine’s regional control center network was attacked with a malware and the government thinks Russia is the culprit.
A section of Ukraine went dark on December 23 and the country’s SBU security service was quick to blame Russia for this power-failure. The Ukrainian power company maintains that the outage was temporary and not completely the outcome of physical sabotage but occurred due to a cyber-attack.
Ukraine also immediately instigated an official investigation into the matter to understand the root cause of the outage.
As details started emerging, it was identified that the regional control center’s network was infected with a malware. If this malware is believed to be the cause behind the blackout then it would verify Ukraine’s allegations.
More importantly, it also signals that electric grids and industrial control systems (ICS) are actually vulnerable to cyber-attacks.
After a week of the power outage, a former US Air Force cyberwarfare operations officer and founder/CEO of security firm Dragos, Robert M. Lee, told MotherBoard that:
“The fact that malware was recovered from the network at all, and the fact that it’s newer, gives a high confidence assessment that the cyber attack on Ukraine was legitimate.”
According to Lee, the malware was unique and wasn’t something that can be randomly found on grid networks.
In his blog post, Lee wrote:
“The malware is a 32 bit Windows executable and is modular in nature indicating that this is a module of a more complex piece of malware.”
Lee passes on the sample he possessed to Trend Micro’s senior threat researcher Kyle Wilhoit, who stated that this malware was equipped with wiping function. The sample was also shared with the founder of Rendition Security and SANS instructor Jake Williams, who was of the opinion that:
“The resolution of APIs that are not used elsewhere in the code probably means that some of the code was borrowed from another program.”
Williams identified that the malware had a code base on which modules can be added.
Lee’s blog post compelled other researchers to publish their personal findings in this context. Such as ESET analysts claimed that Ukrainian grid network malware was actually BlackEnergy.
Sandworm, an infamous Russian hacking group, is particularly fond of BlackEnergy and has also targeted ICS and power facilities in the past, so it is quite possible that the same group is behind the latest attack.
However, nothing can be stated with full surety because of lack of proof as Lee states:
“The BlackEnergy malware has been in existence since 2007 and lots of different actors have used it. People are saying that this piece of malware is linked to BlackEnergy. I can buy that, and there is some good analysis to say that is likely true. But just because the BlackEnergy malware was used, does not mean that it’s linked at all,” to this group.
So, the crux of the matter is that some hackers possibly from Russia attacked Ukraine’s power supply plant and caused a temporary outage in certain sections of the country.
Attackers probably exploited the control center’s system’s digital control panel and remotely accessed it. Others speculate that since BlackEnergy can wipe data so it was installed to steal information from the electric grid system.
This is not the first time when Russian hackers have been accused of targeting Ukranian infrastructure. In March 2014, the telecommunication system of Ukraine was hit by cyber-attacks leading to mobile network interruption in the country.