Russian military hackers shut off power in Ukraine, caused global trouble, U.S. says
- October 22, 2020
- Posted by: Kerry Tomlinson, Archer News
- Categories: Archer News, Cyber Crime, Cyberattack, Cyberattack, Industrial Control System Security, Posts with image, Power Grid, Power Grid
It was the first of its kind — a cyberattack in Ukraine in 2015 that blacked out parts of the country and affected about a quarter million people.
Now, the U.S. government has charged six Russian military officers for that attack and other attacks that caused massive global disruption.
Court documents show the officers allegedly used a common trick to start many of their attacks — phishing.
The first cyber blackout in Ukraine in 2015 marked a turning point. Attackers showed they could cause a power outage by computer.
Five years later, the U.S. government announced it is holding six Russian military officers responsible for that attack and several other notorious cyber events over the last few years.
The six are accused of carrying out the 2017 NotPetya malware attack that hit hospitals in the U.S., as well as global giants like Maersk, Mondelez, Merck and DHL, plus a separate attack on the 2018 Olympics.
They also shut down power in Ukraine a second time in December 2016, according to the indictment.
The attackers often started with phishing, according to the indictment.
In the Ukraine attacks, they then used the malware BlackEnergy, Industroyer and KillDisk to take control of parts of energy companies.
This video is said to show part of the 2015 attack in action. Employees watch as the computers carry out commands seemingly on their own.
The result was a power outage that hitting more than 200,000 homes and businesses in winter. A year later, another hacker blackout caused a blackout in the capital city of Kiev.
Joe Slowik, security researcher with cybersecurity company Dragos, said the same attack potentially could happen in the U.S. and other countries.
“Some of the specific protocols used in the Ukraine events — especially 2016 — would need to be changed for applying such an effect in North America, but so long as the attackers can access the relevant systems such an event is absolutely possible outside of Ukraine,” he told Archer News.
Attackers likely working on behalf of Russia have made other attempts to get into and scope out electric system operations, Slowik said.
Russian government cyber actors “targeted government entities and multiple U.S. critical infrastructure sectors” starting in 2016, according to the U.S. Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency.
In addition, the head of Germany’s domestic intelligence agency said Russia was likely behind a large cyber attack on German energy providers in 2018.
The Kremlin denied it at the time, according to Reuters.
“We don’t know what he was talking about,” said Kremlin spokesperson Dmitry Peskov.
While power companies work to strengthen defenses, attackers keep trying an easy way in — and succeeding.
The Russian military officers scoped out power company employees online, then sent trick emails to make them click, the indictment said.
“The Conspirators crafted these emails to resemble emails from trustworthy senders, such as email providers or colleagues, and encouraged the recipients to click on hyperlinks in the messages,” the document said.
What can you do, no matter where you work?
“Phishing awareness, implementing multi-factor authentication wherever possible, and maintaining overall security and operational awareness in control system environments would be critical,” Slowik said.
For some working in industrial cybersecurity, the indictment of the so-called Sandworm team working for the Russian Main Intelligence Directorate or GRU was significant.
“It meant a lot to me because the attackers crossed several lines and they finally got called out for it. Helping protect civilian critical infrastructures and ICS is a major reason I do what I do,” said industrial cybersecurity consultant Chris Sistrunk with security company FireEye.
“I was relieved that the U.S. government and the U.K. government finally named and shamed the Russian GRU Sandworm team members for what they did, especially causing power outages to Ukraine civilians!” he added.
Main image: Kiev, Ukraine. Image: Tomch/iStock