on December 23, a cyber attack carried out on the equipment of the Ukrainian power grid caused a power outage in the Ivano-Frankivsk region, in the western part of the country. It is a rare successful cyberattacks which information is displayed to the media. Are now available of the modalities used by hackers to bring down infrastructure and the means implemented to bring down the network of Prykarpattyaoblenergo are impressive.
6 months of preparation for a large-scale cyberattack
in the same way that the cyber-attack Israel and the United States on the Iranian uranium centrifuges in 2010, the range attack on the Ukrainian ‘grid’ will remain in the annals of cyber-security. It is not an attack by a hacker who would have taken control of a computer of control, but rather a concerted large-scale. Indeed, in a first time, hackers have managed to trip 30 substations power distribution but also, simultaneously, two distribution centers which resulted in the release of an additional substations thirty network. Result, 230,000 persons deprived of electricity between 1 to 6 hours and, irony of the attack, Prykarpattyaoblenergo employees including emergency power systems had been disconnected in 2 centres on 3…
Interviewed by Wired, Robert Lee, Dragos Security co-founder and former officer of the US Air Force cyber-war, considers it as a large-scale action that requires a large logistics, substantial financial resources and highly skilled people. The attack was conducted by the Russia or by a State, the expert refuses to decide, due to lack of evidence. For the time being, the exact origin of the attack remains unknown, however the Ukrainian experts, with the help of the FBI and the DHS (Department of homeland security of the United States) could rewrite the attack scenario in detail. It is fascinating.
The initial attack was a simple Word infected with a malware file
According to the story published by Wired, the attack started in the spring by a campaign of phishing targeting systems and administrators members of computer services of the various distributors of electricity in the country. A simple Word file attached to an email that asks you to enable macros, and the process is launched, the malware BlackEnergy3 unfolds on machines and provides a point of access to hackers who will map the corporate network.
they will then get access to Windows domain controllers, but also collect the keys of VPNS that will give them access to machinery SCADA, industrial systems that will literally run the electrical distribution network. Like many industrial Prykarpattyaoblenergo carefully separated this industrial network and its IT network but this will be served to nothing. Hackers have used the VPN used by technicians to access the industrial network.
With VPN access, hackers will therefore be able to annihilate the emergency power systems, but to make trip distribution substation systems. It is there that the attack becomes much more complex because hackers will modify the firmware of the link serial/Ethernet converters placed on these devices. This firmware update is distributed by the industrial network until the equipment. The aim of this firmware is to prevent technicians intervene on the equipment at the time of the attack. Therefore everything is ready to initiate the attack.
The pirates have multiplied barriers prevent technicians intervene
It was launched on 23 December at 15:30. It is preceded by an attack TDoS. Thousands of calls flood the Distributor’s call centres. The objective of this campaign is to prevent subscribers report the failure that will occur. From then on, everything flows. Relief supplies are disconnected and substations circuit breakers are activated. In addition, the malware KillDisk is launched on the network supervisory positions: it clears the system files causing the crash of these computers. can only emphasize the effectiveness of technicians who have a few hours to restore power while the pirates had to multiply obstacles to prevent restore power.
The attack on the Prykarpattyaoblenergo sounds like a new warning to the energy but also industrialists from around the world who consider their secure systems. Just sometimes an email to bring down the building.
Translation : Bing Translator
Source: “Inside the Cunning, Unprecedented Hack of Ukraine’s Power Grid”, Wired, March 3, 2016