Ukraine investigates possible new cyber attack on energy grid

You could be affected even if hackers are not to blame for the blackout. 

 

It was just about midnight on December 17 in Kiev, Ukraine. Suddenly, the lights in an area to the north went out. 

“The city looked eerie and romantic at the same time,” wrote Yury Urbansky on Facebook.

Workers got the power back on, but a question hangs in the chill air. Could this be—once again—a cyber attack that shut down electricity to people in Ukraine, just like December of 2015?

It is too soon to tell, cybersecurity experts say. Many things can cause an outage. But they are watching.

“If the Ukrenergo transmission substation outage root cause is from a cyber attack, this would be very upsetting news,” tweeted Chris Sistrunk with cybersecurity firm Mandiant, a FireEye company.

“If true, this attack not only represents further ratcheting of escalation in a very troubled part of the world but may also represent a sign of things to come as adversaries pursue ever increasing means and willingness to cause damage using cyber means,” wrote Michael Assante of the SANS Institute in a post.

 

Image of the “North” substation in the Kiev area affected by the outage, according to Wikimapia. Creative Commons license Attribution-ShareAlike (CC-BY-SA)

 

Looking for clues

The cause of the blackout may be “external interference through data network,” the head of Ukraine’s state-run power company, Ukrenergo, said in a Facebook post.

“We apologize to everyone who was left without electricity last night because of these events,” said Vsevolod Kovalchuk in the post about the issue at the ‘North’ substation in New Petrivtsi. 

The outage equaled about 20% of Kiev’s nighttime energy consumption, Kovalchuk told Reuters.

“That is a lot. This kind of blackout is very, very rare,” Kovalchuk said in a Reuters news story.

One of the possible clues, according to experts, is Reuter’s report that the power company “found transmission data that had not been included in standard protocols, suggesting that external interference was the likeliest scenario.”

However, a hardware failure could also have shut off the lights, Kovalchuk said. And there could be other causes yet unknown.

 

Ukrenergo head Vsevolod Kovalchuk wrote a post on Faecbook about the outage.

 

Cause for concern

Cyber invaders keep up a constant stream of cyber attacks 24 hours a day, around the world, often looking for valuable data. 

But a cyber operation that can actually cause physical harm is unusual and cause for concern.

“A cyber attack that causes a power outage means that the attackers want to affect civilians, in addition to sending a message to the country,” Sistrunk told Archer News. “The power grid is an essential part of modern life, especially in the cold of winter.”

One year ago, hackers shut off power for more than 200,000 customers in Ukraine—a momentous event that showed the world that attackers could potentially kill people through digital means.

“If confirmed, and it’s too early to tell at this point, this would be the second confirmed cyber attack causing a power outage,” Sistrunk said.

 

The city of Kiev, Ukraine in 2016.

 

Recent attacks

Ukraine officials said there have been a series of “large-scale” attacks this month on state agencies, critical infrastructure and private sector institutions, according to Radio Svoboda

The treasury, the pension fund, the finance ministry and the defense ministry were all targets, according to the report.

The Secret Service of Ukraine said the software used for at least one of those attacks was the same as the software used in last December’s big power company attack in Ukraine, the report said.

There is no public evidence that the current outage is related to any of those attacks in any way.

However, organizations everywhere would be wise to review how last year’s Ukraine power attack went down and hunt for similar threats, advised Robert M. Lee, CEO of cybersecurity company Dragos, Inc.

Avoid alarmism, but use this as an opportunity, he wrote in a post.

“As an example, look in logs for abnormal VPN [virtual private network] session length, increased frequency of use, and unusual connection requests times,” he said.

 

Image of the “North” substation in the Kiev area affected by the outage, according to Wikimapia. Created by Kukurbito. Creative Commons license Attribution-ShareAlike (CC-BY-SA)

 

Good practices

This latest Ukraine outage—if hacker-caused—would probably not reveal new hacker tactics, Lee told Archer News.

“If it turns out to be an attack I do not think it will be novel in the sense that we have not observed the tradecraft or understood how to defend against the method before,” Lee said. “It is rare to see novel techniques that shock defenders.”

“Usually, good practices such as an active defense approach to monitoring the environment and basic security practices prove to be successful,” he said. “The attack will be novel in its significance to the community though.”

Keeping watch

People around the world will be monitoring this latest event to see exactly what happened, and how.

“It means that we cybersecurity experts need to help find the root cause, and begin looking in other similar companies to see if they could be attacked,” Sistrunk said. 

“Help shore up a company’s defenses. Spread the word. Help raise awareness about what people can do to protect their networks. Especially industrial control systems,” he added.

And you could be affected—even if the outage turns out to be simply operator error.

“It is likely that non-related attackers will utilize themed phishing emails to the community to have them click on links or attachments,” Lee said.

“The news is interesting to many so it would be ripe to get users to click on emails and associated attachments,” he added.

 

Image of the “North” substation in the Kiev area affected by the outage, according to Wikimapia. Creative Commons license Attribution-ShareAlike (CC-BY-SA)

 

Cold temps

With temperatures below freezing, Ukrenergo said workers restored power in an hour and 15 minutes, with some people getting their service back even sooner.

“Electricity really recovered very quickly, about 40 minutes in our house the lights were back,” wrote Oksana Matsunich on Facebook. 

The blackout—“eerie and romantic”—may turn out to be simply a standard service issue at the recently refurbished ‘North’ substation in New Petrivtsi.

“A one-hour 15-minute outage is kind of common,” Sistrunk said.

For Ukrainians in winter, even a “common” outage can feel painful.

“Thankfully, no matter the cause, the power company got the lights back on fairly quickly,” he said.

 

Featured image: “North” substation in the Kiev area affected by the outage, according to Wikimapia. Creative Commons license Attribution-ShareAlike (CC-BY-SA)