Ukraine power attack may have started long before December 23

A cybersecurity company says the first tainted e-mails may have gone out to Ukraine power companies in the spring of 2014.

If you live in Ukraine, you may be used to the lights going out. Energy companies even have scheduled outages to deal with power shortages. But the blackout on December 23 was different.

This time, power companies told their customers in the region of Ivano-Frankivsk—and now, we learn, also in Kiev—that cyber attackers had infiltrated their network.

“Third parties made illegal entry into the information-technological system of remote access to equipment telecontrol substations,” announced Kievenergo, a Kiev power company, saying 30 substations were disconnected and 80,000 customers were affected.

Now a cybersecurity company in Kiev has mapped a history of the BlackEnergy malware found on Ukrainian power systems after the outage. The CyS Centrum report shows that the seeds of the attack may have been planted long before that day in December—and the list of potential attack victims is growing, including Kiev’s main airport and Ukraine International Airlines.

Spring of 2014

An e-mail arrived at a Ukraine railway company in May of 2014, CyS Centrum said. In that e-mail: a malicious file, ready to load a version of BlackEnergy malware onto the system. The targets in this attack were six rail transport companies, but the report said there were other “lucky” recipients—including Prykarpattyaoblenergo, the power company operating in the area of Ivano-Frankvisk.

CyS Centrum said the malware from the e-mail was capable, among other things, of gathering information about the target object to further development of an attack.

Summer of 2014

Another tainted e-mail with BlackEnergy went out in August of 2014, according to CyS Centrum. The targets this time—Ukrainian regional administrations, and historical and archive organizations outside the country’s borders, including the history department at Michigan State University, the Germans from Russia Heritage Collection, located in North Dakota, and the Electronic Resource Preservation and Access Network, based in Scotland.

Spring of 2015

The malicious e-mail with the BlackEnergy connection returned in March 2015, first showing up at Ukraine broadcasting companies, then at Ukraine state institutions engaged in archival and library activities, as well as a power company in Western Ukraine, according to CyS Centrum.

Fall of 2015

This was the “apogee of the attack,” CyS Centrum said, just in time for Ukrainian elections. The attack hit Ukrainian broadcasting companies and destroyed footage and server hardware, as well as disabling “functionally significant” computers, like operator workstations, according to the report.

Winter 2015

On December 23, it was the “shot heard round the world”—a blackout leaving hundreds of thousands of people in the dark in the Ivano-Frankivsk region and in the capital city of Kiev. Prykarpattyaoblenergo was one of the companies affected. Researchers said they found malware—BlackEnergy and KillDisk—and cybersecurity experts are investigating to see if cyber invaders did indeed manage to shut down power through cyber means. 

CyS Centrum told Archer News that the malware found in the power company systems after the December 23 outages could have been installed during the e-mail attacks of May 2014.

“Yes, there is a possibility, for sure,” said Nikolay Koval, CyS Centrum CEO. “At least in Prykarpattyaoblenergo. But, I can’t bet 100% for it.”

“Nevertheless, if they hadn’t been hacked in May 2014, they were hacked in March 2015,” he added. “Their network was compromised far before the December outages.”

Learning from our mistakes

Cybersecurity experts hope power companies will pay heed to the Ukraine attacks.

“It is time to begin to communicate,” wrote CyS Centrum in its report, “To listen to the recommendations–which existed long before December 23! And begin, at least, to learn from our mistakes, doing away with the role of ‘testing ground’ for the rest of the world.”

“Potentially any utility could fall victim,” said Marina Krotofil, an independent industrial control systems researcher from Ukraine.

“This thing that—probably—happened,  it could happen anywhere to anyone,” said James Arlen with Leviathan Security Group. “And if you’re confident that you’re safe, you aren’t.”

Mistakes

One of the mistakes, according to Krotofil, is that the victims of the attack and government agencies in Ukraine are not sharing attack details with cybersecurity researchers.

“Local experts are kept away/blind/uninformed/unclued?” she said. “Not helpful for defenses against further attacks.”

The culture may be changing.

Ukraine is taking steps toward improving its industrial control system security posture, Krotofil said, including collaboration on information sharing with the Industrial Control System Information Sharing and Analysis Center, based in Arlington, Virginia.

Krotofil said she is giving a talk and workshop on cyber-physical exploitation in Kiev next month to help improve security for industrial control systems and SCADA, or supervisory control and data acquisition, a system used to remotely monitor and control equipment.

Closing airports & re-writing history?

The report shows new targets of the attacks, including Kiev’s main airport, Boryspil, and Ukraine International Airlines. It does not explain how the airport and airline might have been affected.

“The most important thing is that there are more victims of these attacks that we initially thought,” said Anton Cherepanov, an ESET malware researcher who said he found BlackEnergy and KillDisk in a power company’s system after the December attack.

Many targets include history and archival organizations, according to the report. Cherepanov’s analysis showed that KillDisk has the capability to erase files.

How can companies protect themselves?

CyS Centrum’s CEO told Archer News he has a number of recommendations for power companies.

First, he said, make sure that ‘critical objects’ are separated physically from other networks. 

Second, he said, make sure there is logging enabled everywhere, including preservation of old archived logs, and make sure there is a tested plan for providing business continuity.

Third, he added, make sure that all the available inversions of control (from BE2/3 threat) are imported into local intrusion detection systems and intrusion protection systems, and make sure alerts regarding any suspicious event are being regularly checked.