The 2015 cyber attacks on the industrial control systems of several power distribution companies in Ukraine that knocked out power for six hours began with a phishing campaign over a year before and could have been stopped with the most common infosec strategy: Defence in depth.
That’s the conclusion of a recent report by U.S. consulting firm Booze Allen Hamilton into what is believed to be the first time malicious actors had successfully – and publicly – disrupted power stations.
The outage was also one of the few known cyber attacks against a SCADA (supervisory control and data acquisition) system.
“This attack was exceptionally well organized and executed” the report says, but the tools to mitigate and minimize the impact aren’t difficult to implement. It argues defence in depth on industrial and SCADA networks defenders “can effectively address similar threats.” by increasing the likelihood of detection.
The report could be used by operators of ICS and SCADA networks in many industies to plan for defending against cyber attacks
On Dec. 15, 2015 hackers remotely logged into workstations at a Ukraine power distribution company and, clicking through commands in the operator control system, shut off breakers one by one; at the same time attacked two other distribution companies, plunging some 220,000 businesses and households into darkness for six hours.
In a serious of unique, discrete steps, the threat actors – widely believed to be from Russia – deployed a specially modified version of the BlackEnergy malware, gained access to targeted corporate networks, stole valid credentials, moved into the operators’ control environment, identified specific targets and remotely disrupted the power supply.
“Each task was a missed opportunity for defenders to block.” says the report, which relied on public information and malware analysis of the tools used, and some educated inferences, “to block, frustrate or discover the attackers operations before they reached their final objectives.”
But steps like security awareness training, network segmentation, networking monitoring, access control including two-factor authentication and threat intelligence should have been vital parts of a wide-reaching defense strategy.
“The Ukraine incident also demonstrates that no single mitigation can prevent an attacks success,” it adds.
The power distribution attacks were part of a larger campaign against Ukrainian infrastructure including railways, broadcasters and the government.
It appears to have started at least as far back as May 2014 with a phishing campaign that forged sender addresses and weaponized Microsoft Word attachments to drop the BlackEnergy remote access trojan. The report assumes the attackers did some information gathering from public sources, and perhaps scanned perimeter devices.
Regardless, at some point employees at each of the three targeted electricity distributors opened the attachments and corrupted their workstations.
The assumption is then the malware communicated with a command and control server, which likely downloaded plugins to enable credential harvesting and internal network reconnaissance. The attackers then gained administrator credentials to access the domain controller, recover additional credentials and create new privileged accounts.
Some time between June 2015 and December the attackers accessed the ICS network including workstations used by managers to control devices, management servers, serial to Ethernet converters for converting serial data from field devices to digital packets, remote terminal units and substation breakers.
A malicious firmware update was created and uploaded for the serial to Ethernet converters, to disrupt communications between those devices and make it hard for operators to restore power after the breakers had been turned off. In addition, the attackers got into the universal backup power supply (UPS) to the telephone communications server and data centre servers and schedule an outage in it the day of the attack.
On that day they modified passwords on some workstations to lock users out, then used their remote access to trip the breakers, and deliver the malicious firmware update to render the converters inoperable as well as sever the connections between the control centre and substations. Workers were forced to manually reset the breakers.
To sow confusion a DDoS attack was launched on a telephone call centre at one of the distributors.
Finally, KillDisk malware uploaded earlier erased the master boot records and deleted system log data on targeted machines across the corporate and ICS network.
Booz Allen says there were many things defenders could have taken at each step that would have at least slowed the attackers and made it more likely they would have been discovered.
The report also includes advice for those running operational ICS networks. One is that cybersecurity professionals don’t always understand the core operatiosn of an ICS network. As a result the infosec team needs to partner with plant operators to udedrstand operational processes.
You can get a copy of the report here. Registration is required.