Cyber experts are trying to determine the cause of a large power outage in Western Ukraine that could have implications world-wide.

It may have started with a simple e-mail. It could end up as a ground-breaking case of a cyber attack that crippled a power company for hours and left hundreds of thousands of people in the dark. And a malware researcher in Eastern Europe says he has uncovered some of the cyber intruders’ tools and strategies.

Anton Cherepanov with ESET in the Slovak Republic told Archer News that his company detected an attack on one of its clients, an electricity distribution company in Ukraine, on December 23. 

The weapons of choice?

“We discovered that attackers used BlackEnergy and KillDisk malware in this attack,” he said.

BlackEnergy is a kind of malware used in attacks in Poland and Ukraine in 2014 and 2015, according to a post by Cherepanov on WeLiveSecurity. 

It has also been used to try to attack NATO, the White House, and a number of industrial control systems operators in the U.S., reported Help Net Security.

Attackers can use BlackEnergy to get inside a system, according to another WeLiveSecurity post.

KillDisk is newer, documented for the first time in November in an attack on Ukraine media organizations that destroyed video files and documents, he said.

“The main purpose of this component is to do damage to data stored on the computer,” said Cherepanov. “It overwrites documents with random data and makes the OS (operating system) unbootable.” 

A bad day for Ukraine power companies

The Ukraine power company served by Cherepanov was not the only company under attack that day, December 23.

That evening, the power company for another region, Ivano-Frankivsvk, went dark. Ukrainian news company TCN reported that the cause was a hack attack.

Cherepanov told Archer News that he believes the attack weaponry was the same.

“We can assume with a fairly high amount of certainty that the described toolset was used to cause the power outage in the Ivano-Frankivsk region,” he said.

KillDisk can go above and beyond just deleting files, as it did in the incident involving Ukrainian media, said ESET in a press announcement.

“In addition to being able to delete system files to make the system unbootable – functionality typical for such destructive trojans – this particular variant contained code specifically intended to sabotage industrial systems,” the announcement said.

Did KillDisk trip the switch?

A cybersecurity expert says there is more to this attack.

“I do not believe the KillDisk component caused the outage,” said Robert M. Lee with the SANS Institute, who is looking into the power outage and reported cyber attacks. “This looks more akin to a cleanup module after the attack. I feel that it is part of the overall adversary effort, but did not lead directly to the impact.”

That means a key question remains, and the answer could affect power companies—and power customers—everywhere.

“We are missing the piece of what actually caused the impact,” said Lee.

“There are a number of theories, but they are all speculation at this point,” he added. “My preferred theory so far is that the malware was just used to gain access for the attacker, who then could have manipulated the systems once they gained access, such as manipulating an HMI (human machine interface).”

The human machine interface is the workstation the system operators—people who control the grid—use.

Lee said many good researchers are looking into the situation, but it will take time to find out exactly what went wrong.

Weapons of destruction

Cybersecurity experts say the information coming out on the attack weaponry is cause for concern.

“The most concerning thing in the appearance of BlackEnergy—outside of the Ukraine, anyway—is that while earlier attacks involving industrial control systems did nothing beyond collecting information about those systems, this incarnation reportedly contains code that erases certain control system programs,” said Patrick Coyle with Chemical Facility Security News.

“Destroying control systems can have potentially dangerous cyber-physical implications beyond just temporarily shutting down portions of the grid,” he explained. “Some moving equipment that does not shut down properly, like you would typically see in a power outage, can be severely damaged by erasing the controls.”

Another expert said this incident underscores the extraordinary level of sophistication of malware, and how even already-known trojans can evolve into something even more dangerous than before. 

“The apparent infection vector used in this, and similar attacks, was Microsoft Office files with malicious macros,” said an anonymous former CIA cybersecurity expert. “A spear-phishing email is sent out that contains an attachment with a malicious document. When a victim is tricked into opening the e-mail, their computer becomes infected.”

He said power companies need to take heed of this attack.

“This is a stark reminder of the attractiveness of industrial control systems to cybercriminals, and should be a loud warning bell to the energy industry here in the US and globally, to take cyber security more serious than ever before,” he said.

Protecting the grid

The power companies affected have already made forward progress, Cherepanov said.

“I think victims learned a lot from this attack,” Cherepanov told Archer News. “Now they are better prepared.”

Lee said power companies can protect themselves from these kinds of attacks.

“Removing control systems from the Internet, monitoring the networks, and having trained incident responders familiar with ICS (industrial control systems) would go a long way in terms of security,” Lee said.

“Right now, the focus should be on the defense lessons and the fact that there is an active threat that has demonstrated a willingness to cross that threshold into bringing down operations,” he added. “No reason to ring alarm bells, but very important to take a mature approach to securing ICS.”

This is one part of a multi-part series on the Ukraine power company cyber attacks. Look for more stories here at Archer News.