Analysts say the next power hack may fold in new tools and strategies.

In the action-thriller movie “Paragraph 78,” scientists in a remote underground laboratory develop a secret killer virus. In a terrible turn of events, the virus mutates, and the antidote the scientists prepared for themselves no longer works. Disaster ensues.

Like that fictional virus, the historic power hack that shut off electricity for almost a quarter of a million people in Ukraine in December may also change itself to take down new victims.

And like the movie’s antidote, current defenses may not work to keep the attackers out.

The SANS Institute has released its new report on how the Ukraine power hack occurred, and how organizations using the same kinds of controls can protect themselves. In it, analysts said companies need to prepare not only for the same kind of attack, but for attacks in new and yet-unknown forms

“The remote cyber attacks directed against Ukraine’s electricity infrastructure were bold and successful,” the SANS Institute report said.

“Realize that attackers may be able to develop additional attack approaches as they have learned a system and may have stolen information that allows for the development of more powerful future attacks,” it said.

Future attacks—in the U.S.

The report describes the attack that took down part of Ukraine’s power grid as well-planned and highly-coordinated, able to almost simultaneously shut off power at three different energy companies with three different distribution management systems.

“There’s this narrative trying to persist that this is not something accomplishable in Western infrastructure,” said Robert M. Lee, who authored the report along with Michael J. Assante and Tim Conway, all with the SANS Institute.

“Every aspect of what they did is repeatable in Western infrastructure,” Lee told Archer News. “All of this is completely doable again.”


The report said the attackers found their way in, then likely adapted their attack to match what they found inside.

They used a phishing e-mail to power company employees that “appeared to be from a trusted source,” and used malware to invade the office network.

Attackers were then able to leap from the office network to the operations network—the one that controls the grid—through a VPN (virtual private network) that did not appear to have a two-factor authentication security layer, according to the report.

They were able to shut down parts of the grid through remote control, the same remote control that power company employees use to run the grid every day.

In addition, the attackers sabotaged recovery by corrupting serial-to-Ethernet devices used for communication, taking out battery back-ups on some equipment, erasing files, logs and records, and flooding the company call center with fake calls, the analysts say.

“However, the strongest capability of the attackers was not in their choice of tools or in their expertise, but in their capability to perform long‐term reconnaissance operations required to learn the environment and execute a highly synchronized, multistage, multisite attack,” the report said.

The U.S. is vulnerable

The attackers may not have to make many changes to successfully hack a power company in the U.S., according to some cybersecurity experts.

“The attack in Ukraine was against common endpoints—serial converters, UPSs, and even protective relays and RTUs—that are in use all over the world,” said Reid Wightman with Digital Bond.

These devices often do not have even basic security measures like password protection, Wightman said.

“The security goal of utilities is to keep attackers away from these devices,” he said. “Unfortunately, any utility which allows remote access to this equipment could be attacked in the same way.”

Larger utilities in the US likely use two-factor authentication for their remote access, Wightman explained.

“This makes it less likely that an attacker will get to the actual controls,” he said. “Smaller utilities, however, may not implement this extra layer of protection. These are the utilities at particular risk of attack.”

Already inside?

You should operate under the idea that the enemies can get inside your networks, the report recommended, instead of simply trusting that your networks are secure.  

In fact, the adversaries may already be inside and testing your system to see what they can attack and how, some cybersecurity experts say.

The Ukraine power companies did not appear to be doing any monitoring of their industrial control system network and checking to see if there were any abnormalities, analysts said in the SANS report.

“These vulnerabilities would have provided the adversary the opportunity to persist within the environment for six months or more to conduct reconnaissance on the environment and subsequently execute the attack,” the report said.

Shadow in the system

The virus in “Paragraph 78” left a string of bodies behind. But a cyber invader may leave much more subtle clues.

Logging data—and monitoring that data—can help you find the slight changes in your network that could signal an intruder or a recon test, according to Lee.

Look for thing out of the ordinary, things happening at unusual times, or for unusual durations. Consider setting different levels of alerts to let you know when things stray from normal. And do a baseline to find out what “ordinary” is for your system, cybersecurity experts say.

“Patterning out the data flows, doing traffic analysis of what systems are talking to what systems,” said Lee. “Any sort of peaks in system activity, and, when you do have remote connections, when are those being used and by whom?”

“Outliers, multiple connection attempts—all of those should be giant red flags that need to be investigated,” he said.

Planning for mutation

Don’t count on the attack staying the same, analysts advised in the report. 

For example, the Ukraine attackers appeared to use BlackEnergy malware as they infiltrated the network. But protecting yourself against BlackEnergy will not stop future attackers from using another kind of malware on your system.

The Ukraine attackers took out some communications, but not all, targeting serial-to-Ethernet field communication devices. The next attack, however, may include a complete communications blackout. Can you come up with an alternate form of communications to be able to recover from an attack?

Also, if attackers take out one part of your operating system, can you cut it off or isolate it and still continue operating?

“Preparing for a high‐tempo, multifaceted attack is not easy and it requires careful plan review, testing, integrated defense, and operations exercises,” the report said.

“Rehearsing steps to more quickly sever or prevent remote access, to safely separate the ICSs [industrial control systems] from connected networks, or to contain and isolate suspicious hosts is critical,” it says.  

Thoughtless worms

Defending will take more than simply blocking each technical vulnerability path, said analyst Jack Whitsitt with EnergySec.

“This environment requires a mindset change from the early 2000’s, when many information security common practices started to became more codified,” he said.

“Back then, risks largely came from automated, thoughtless worms,” he added. “Today’s human adversaries will instead attempt to think around your defenses and capabilities.”

Though companies may put in “static” defenses like firewalls, patching and intrusion detection systems, they can also create vulnerabilities elsewhere—in their people, process and technology— that will allow hackers to work around the static defenses, Whitsitt said.

“What needs to happen is for organizations to look at the cyber kill chain [steps of a cyber attack] and decide what they need to do to compete with their adversaries at each level of the kill chain and to look at what decisions they’re making that could put them at a disadvantage,” he said.

Human vs. machine

“Passive” defenses may not be enough—you will need an “ active” defense, according to Lee.

“There was an adaptive, highly-sophisticated, determined human adversary,” said Lee of the Ukraine power hack.

“All of the endpoint [protective technologies]—firewalls, the passive defense—you need them, you want them,” said Lee. “But an active defense, that human component. It’s very naive that we think a human threat, an adaptive human threat, is going to be stopped by flashing boxes on the network.”

The report recommends that defenders develop “anticipatory responses.” 

“The next attack may purposefully differ in its approach to throw off or defeat the defender’s plans and expectations,” the SANS report said.

“It is critical that defenders exercise and train against different scenarios and be aware that attackers are co‐adaptive and creative,” it said. “It is vital to develop capabilities with flexibility in mind.