U.S. Department Of Homeland Security Confirms Cyber Attacks Took Down Ukraine Power Grid In December
In late December, a major power outage killed utility services for a large swathe of people in the Western Ukraine. Shortly after the incident, a number of cyber security experts pointed the finger at hackers and claimed some nefarious digital activities took down the power grid, but nothing had been officially confirmed at the time.
But now the U.S Department of Homeland Security (DHS) Industrial Control Systems Cyber Emergency Response Team, or ICS-CERT, is reporting that the outage was caused by a measured cyber-attack against Ukrainian critical infrastructure.
An alert published on the ICS-CERT website says, “On December 23, 2015, Ukrainian power companies experienced unscheduled power outages impacting a large number of customers in Ukraine. In addition, there have also been reports of malware found in Ukrainian companies in a variety of critical infrastructure sectors. Public reports indicate that the BlackEnergy (BE) malware was discovered on the companies’ computer networks, however it is important to note that the role of BE in this event remains unknown pending further technical analysis.”
Detail of the attack are more alarming than a simple malware infection that allowed remote access, however. The widespread disruption of services was caused by power outages at three different regional electric power distribution companies. The cyber-attack was reportedly synchronized and coordinated across the three locations after extensive reconnaissance of the target networks. The intruders had likely acquired legitimate credentials over time, prior to initiating the attacks.
To take down the grid, the attackers apparently remotely executed some malware that erased critical data from a number of hard drives, and then corrupted the boot records on those drives. The firmware on some key Serial-to-Ethernet devices at various substations was also corrupted and rendered inoperable and the uninterruptable power supplies connected to some number of servers were taken down as well.
There is detection and mitigation data in the post on the ICS-CERT website for those interested in more details.