Cybersecurity experts examine the Ukraine power company attack for answers, to keep the lights on in the U.S. and around the world.

You turn your lights on and off with the flip of a switch. Cybersecurity experts are trying to make sure the control of that switch does not go to someone else—like the cyber invaders who reportedly took down one power company and attacked others in Eastern Ukraine.

The attack could be a “warning salvo” from the invaders, said Andrew Mazurek, a Toronto-based cybersecurity professional.

“See what happens when you mess with us,” he explained.

Experts don’t want to wait to see.

Researchers, including Robert M. Lee from the SANS Institute, are trying to figure how attackers may have actually caused a power outage through cyber means, possibly by using malware to get inside the power companies.

“If the analysis and follow on information is validated about the malware and attack, then this will also be a significant event for the international community,” Lee wrote in a blog post. “The precedence that this event sets is far-reaching, past the security community, and will need to be analyzed and understood fully.”

Who is next?

Experts say if the attackers were indeed successful in shutting down power, they may try to hit more power targets.

“What has happened to one energy company can happen to another,” said Marina Krotofil, an independent industrial control system (ICS) security researcher.

Anton Cherepanov, a malware researcher at ESET who says he has discovered cyber weapons used in the Ukraine power company attacks, said other utilities in the same area could become targets.

“This group of attackers is focused on Ukraine,” Cherepanov told Archer News. “I think that energy companies in Ukraine are at more risk than others.”

Mazurek says the attacks could extend beyond the borders.

“Poland in particular, due to the current political situation in Poland (new government that is not Russia-friendly) and close ties to Ukraine,” he said.

Utilities in other countries need to take note as well, experts say.

“I think it is a good time for the other power distribution companies—and other utilities—to check their networks for strange ‘items’ in their traffic,” Krotofil told Archer News.

“ICS (industrial control systems) facilities around the world need to take an active defense approach to monitoring ICS networks and responding to threats,” said Lee.

ESET has provided some analysis to help in checking systems/networks. 

Lack of information

Crucial information on the attacks from the victims themselves may not be so easy to find.

Cybersecurity experts in the Ukraine are not getting enough information about what happened, said Krotofil.

“This illustrates either negligence of the local political power who should be responsible for establishment of information sharing or intentional lack of such policies,” she said.

Initial information about the power company attacks came from news reports by TCN, a Ukrainian news service, and cited information from the Ukrainian government.  

“Sources for the story include the Ukrainian state security agency, the SBU,” said Brandon Workentin with EnergySec. “The Ukrainian government, though, is in a high-profile dispute—to put it mildly—with Russia, so comments from the Ukraine government need to be read with an understanding of that conflict.”

“At the same time, the people involved in the response are not incentivized to provide clear reports on what happened to the larger industrial control system security community,” he added.

That could hamper understanding of the attack, Workentin said.

“The company and the government will want to share what helps drive their narrative and objectives, not necessarily what could be useful in adding to the security community’s base of knowledge,” he said.

Moving forward

Researchers are making progress in understanding the attack, even without the full panoply of information.

Cherepanov, with ESET in the Slovak Republic, said the attackers used BlackEnergy and KillDisk, malware that he said would allow them entry into the energy companies and possibly the opportunity to sabotage the industrial control systems.

Cybersecurity experts are trying to determine if this was an actual attack, or some sort of accident.

“We’re seeing evidence that the malware was uploaded to VirusTotal from the Ukraine around the right time for this attack,” said Patrick Miller of Archer Security Group. “It adds plausibility that this is a legitimate attack on the utility. It just doesn’t have the indicators of an ‘accidental’ malware incident.”

Lee said the world-wide community is working together.

“There is a lot of great analysis going on in the community by a number of companies, government organizations, and individual researchers,” he said.

“Each have been contributing some unique aspects to the analysis. Defenders must always work together like this and build off of each other’s strengths. Information sharing in this manner is critical to security,” he added.

Expect new information on the incident and new warnings from the U.S. government soon.