New attack on Ukraine airport? Not so fast

Reports point to a new attack on Ukraine’s largest airport, but cybersecurity experts say there is more to the story.

It is the capital city’s main airport, moving most of Ukraine’s passengers, and it is even featured in a popular song by one of Ukraine’s most popular artists.

But was Boryspil airport attacked by cyber invaders last week?

You might think so, if you listened to some of the voices speaking loudly about malware found on the airport’s computer system.

“Specialists of the State Service of Special Communications prevented a possible hacker attack by Russia,” said military spokesperson Andriy Lysenko at a briefing on Saturday, according to Interfax-Ukraine

“Yesterday, the communications specialists established that one of the workstations at the Boryspil airport was infected by BlackEnergy virus. The PC was disconnected from the airport’s network, and the experts from the CERT-UA [computer emergency response team for Ukraine] group were informed on the incident,” he added.

The malware BlackEnergy was also identified after the power outages at Ukraine power companies on December 23.

But the malware itself isn’t new. Is the attack?

“Did they really discovered a newly-initiated attack, or did they discover an infection because they started looking for it in consequence of recent events (massive infections of multiple organizations, including power distribution companies)?” asked Marina Krotofil, a Ukrainian-born independent industrial control systems researcher in Germany. 

Not really new?

The possibility of a BlackEnergy infection at the airport came to light before last Friday. A Kiev-based cybersecurity company, CyS Centrum, released a report on January 6, saying the airport had been a BlackEnergy target. 

“We’ve already said that KBP [Boryspil’s airport code] was infected,” Koval told Archer News today.

Koval said Boryspil may actually have been infected with BlackEnergy a long time ago.

“It’s just another malicious sample found in the network of targeted organizations,” Koval said. “We’ve seen also back in 2014 that government enterprises responsible for air traffic management were affected, along with government and banks.”

Koval said the discovery of the malware at the airport may be being used to gain political ground.

“There is so much noise because someone wants to add more resonance to this case, some political ‘shade,’” he said. 

Who did it?

Lysenko, the military spokesperson, connected the incident to Russia.  

“The control centre of the server, where the attacks originate, is in Russia,” he told Reuters.

But some cybersecurity experts say there is not enough information to identify the real origin of the attackers.

“The location of the C&C [command and control] server in Russia (Russian IP) does not prove the source of the attack as being Russian,” said Krotofil.

“Phrases about C&C in Russia are B.S.” said Koval. “They are talking without knowledge of what they are talking about.”

“The geopolitical context and timing of the story is interesting and definitely something to watch,” said Robert M. Lee with the SANS Institute. “However, I would caution anyone from jumping to conclusions just yet.”

He said it can be hard to track down the real people responsible for a cyber attack.

“Attribution is very difficult to achieve and isn’t something that can be obtained from a single command and control server’s IP address,” he explained.

“In addition, we haven’t yet seen evidence to state that any issues at the airport are tied to malware,” he added. “I’m confident people are looking into it and that the Ukrainian CERT [computer emergency response team] is doing their due diligence to get the evidence the larger community will need.”

Effects on airport & passengers

Cybersecurity experts say some kinds of malware could potentially have an impact on an airport’s computer system.

“Depending on how interconnected the networks are at the airport, affected control systems could include fuel handling, baggage handling, and air traffic control,” said Patrick Coyle with Chemical Facility Security News.

“The first and last are probably the most critical, since mixing of fuel grades could have a negative impact on flight safety, and we don’t even want to think about problems with air traffic control,” he added.

Another problem could emerge with security access, he said.

“Access control systems for the secure area of the airport could also be compromised,” Coyle said. “This could be used to allow all sorts of nefarious characters to gain access to sensitive areas.”

New alert

The malware may not be able to hide much longer, after a new alert today from Ukraine’s CERT (computer emergency response team). It recommended that system administrators check their log files and information “flows” for signs of BlackEnergy.

In addition, a government agency announced its new intentions.

“In connection with the case in Boryspil, the ministry intends to initiate a review of anti-virus databases in the companies which are under the responsibility of the ministry,” said Ukraine’s infrastructure ministry spokeswoman Irina Kustovska, according to Reuters.

Some cybersecurity experts say the ministry needs to do more.

“While this is good to hear, antivirus is only partially effective. Sneaking past antivirus can be as easy as changing some of the code in the malware,” said Patrick C. Miller with Archer Security Group.

“The most effective approach is to use Indicators of Compromise [IOCs] in conjunction with antivirus and other detection methods such as network security monitoring,” he said.

Reuters said the infrastructure ministry oversees airports, railways and ports. CyS Centrum’s report said railways had also been BlackEnergy targets over the past two years.

“From what we’ve been able to gather at this point, there is apparently more to the story,” Miller said.  “Some are saying that this could go back well beyond the recently disclosed ‘discovery’ of the malware at the airport.”

“Given the tensions between Ukraine and Russia, assumptions are not advised,” he added. “Until the international community can examine actual forensic evidence, any conclusions are speculation at best.”