Months after malware enabled a power-blackout in parts of Ukraine, more clues about the perpetrators of the attack, as well as the potential scale of the hacking campaign have come to light.
After conducting its investigation, the country's energy ministry concluded that hackers made phone calls from inside Russia, and used a Russian-based internet service provider as part of their coordinated attack on the Ukrainian power grid in December, Reuters reports.
Deputy Energy Minister Oleksander Svetelyk also emphasised that the attack had been well-orchestrated.
“The attack on our systems took at least six months to prepare—we have found evidence that they started collecting information (about our systems) no less than 6 months before the attack," Svetelyk told Reuters.
On December 23, a Ukrainian power company announced that part of the country had gone dark, and shortly after, researchers obtained samples of malware found on the company's network. Subsequent reports revealed that at least two other companies had been targeted too, and that the hackers had also launched a denial-of-service style attack on phone systems, stopping customers from complaining about the blackout.
In its investigation, the energy ministry does not point directly to Russian involvement, however. Attribution for cyber attacks is notoriously difficult, but US researchers have concluded that the blackouts were likely the work of the so-called Sandworm group, a Russian backed hacking group. Researchers came to this conclusion in part because of the presence of BlackEnergy malware on the affected networks, which has been used by a likely Russian group to target industrial control systems.
Now, researchers from Trend Micro claim to have found a variant of that malware in a Ukrainian mining company. Kyle Wilhoit, senior threat researcher from Trend Micro, writes on the company's blog that a sample found in the unnamed mining company “has the same exact functionality as those samples witnessed in the Ukrainian power utility attack.” Some of the samples uncovered apparently also connect to the same command and control servers used in the Ukrainian power grid attacks.
Wilhoit notes that he and another researcher also found KillDisk—a data wiping piece of malware that was also present in at least some of the the power grid attacks—in the system of a railway operator. However, they did not find BlackEnergy itself on the railway systems.
At this point, it is better to be highly sceptical about whether these two incidents were part of the same campaign as the December power grid hacks. Indeed, when malware was found in Ukraine's international airport in January, Robert M. Lee, a former US Air Force cyber warfare operations officer and CEO of Dragos Security, told Motherboard that even when command and control servers might have been in Russia, hasty conclusions should not be made.
“It's normal to be able to compromise locations around the world and use, so just because the IP address says Russia means very little for attribution,” he said.