Ukraine Power Grid Hack, All May Not be What it Seems

Reports are coming out on The Register that challenge the current finger pointing by Ukraine’s SBU state security service implicating Russia as the protagonist behind hacks on western Ukraine’s utility companies. This is not the first twist in the December Ukrainian power utility hacking story covered by Hacked.

It all started shortly after the December attack. iSIGHT Partners, a global cyber threat intelligence company, reported that malicious code had affected at least three regional Ukrainian operators. The media, picking up on this, heralded the first known instance of malware causing a power outage.

The original suggestion that malware was the cause of the power outages is now unravelling. It is believed to have been the means by which the hackers established a bridgehead on targeted utility internal systems. From this backdoor, the perpetrators were free to coordinate a sequence of manoeuvres that would not only ensure widespread power outages but also be calculated for maximum impact. These were:

  1. Disconnect breakers for 30 substations, denying power to over 80,000 customers.
  2. Caused monitoring stations at Prykarpattyaoblenergo to go “suddenly blind.” Possibly by freezing the refresh on screens so they gave false information on the developing situation.
  3. Executing a form of Denial of Service (DoS) against the regional call centres to deny customers calling to report power outages.

Consequently, this is likely to be a malware enabled but NOT malware caused incident, quoting the SANS ICS Director:

The attackers demonstrated planning, coordination, and the ability to use malware and possible direct remote access to blind system dispatchers, cause undesirable state changes to the distribution electricity infrastructure, and attempt to delay the restoration by wiping SCADA servers after they caused the outage…….. Or in other words, the attack was enabled via malware but consisted of at least three distinct efforts.

We are now seeing the second twist in the story, challenging the implication of Russian state sponsored hackers. The implication of Russian state-sponsored hackers in this case has been on circumstantial evidence at best. It was seeded from the findings of ESET, an antivirus provider, who confirmed multiple power authorities suffered the “BlackEnergy” infection. BlackEnergy was discovered in 2007 and attributed by iSIGHT to a Russian hacking group dubbed the Sandworm gang a.k.a. Quedagh.

There is a problem with isolating a perpetrator by malware alone. Malware is often commercialised and picked up by more than one hacking group. Furthermore, malware is software open to being reverse engineered and repurposed, akin to firing a missile into enemy territory with the blueprints to its construction attached. We have seen this in the past with Stuxnet, Duqu and Flame.

Prophetically iSIGHT researchers caution against accrediting governments or specific groups with the hacking attacks and so it may transpire. The Register report states that Ukrainian telecoms engineer Illia raised doubts about the link between BlackEnergy Russian connected attacks and power outages in Ukraine. Illin challenges the key facts of the incident:

  1. Reports of energy distribution utilities and blackouts are at odds with what he’s seeing on the ground. “First of all, there [weren’t] any blackouts in Boryspil (KBP),” says Illia.
  2. That only one workstation had been infected by a Russian Server. However according to CERT-UA news, the server had NO Russian IP addresses.
  3. Illia also has doubts about the DoS attacks against energy firm call centres. “I think the call centre had been overloaded simply because of quantity of callers. At the official site of energy company I have found, that 103 townships had [suffered] blackout[s] during the attack, and 183 townships had [suffered] blackout[s] partially,” he said. “Of course, the quantity of calls was catastrophic.”

The suggestion that this is a Ukrainian government propaganda campaign against Russia would come as no surprise, there has been a complex Information War going on for some time between the two.

If true, this could mean that this is not the acclaimed ‘first known instance of malware causing a power outage’. Instead, we may have an example of a highly successful manipulation of some facts salting a larger fiction. Could this be a Ukrainian social engineering exercise, corralling the world’s media into a torrent of coverage implicating Russia in an ongoing Information War?

Featured image from Shutterstock.

Most passionate voice on Privacy, Cyber Security, and the real business transformation benefits of Cloud Computing in our increasingly pervasive digital lives.