Since late December, the security community has been poring over a likely cyberattack in Ukraine that led to a section of the country temporarily going without electricity. Researchers who analyzed malware found in a network of the targeted grid management center claimed that a Russian hacking group was responsible.
The coordinated nature of the attack is now coming to light. Michael J. Assante, director of SANS ICS, a group of researchers focusing on industrial control systems, writes that the hack compromised “multiple elements,” including measures to stop customers reporting the resulting blackout.
The attack was first reported on December 23, when a Ukrainian power company announced that a part of the country had gone dark, and the country's security service blamed Russia for causing the outage. Shortly after, researchers obtained samples of malware found within the affected network. Robert M. Lee, a former US Air Force cyber warfare operations officer and CEO of Dragos Security, previously told Motherboard that this malware was “unique,” meaning it was likely linked to the outage.
"We assess with high confidence that there were coordinated attacks against multiple regional distribution power companies"
Assante’s analysis shows the highly organized effort of the campaign: rather than just infecting a target with a piece of malware, hackers made a concerted push to delay customers and responders from reacting. This shows the attack was likely purposeful, and planned in advance.
One element of this multi-faceted approach was a “denial of service” attack on phone systems, Assante explains. This was to “deny customer calls that would have reported the power out.” The hackers also installed malware in an attempt to stop technicians from detecting the attack.
“The attackers demonstrated planning, coordination, and the ability to use malware and possible direct remote access to blind system dispatchers, cause undesirable state changes to the distribution electricity infrastructure, and attempt to delay the restoration by wiping SCADA servers after they caused the outage,” Assante wrote.
As other researchers have indicated, Assante says that there were likely also other targets, writing, “We assess with high confidence that there were coordinated attacks against multiple regional distribution power companies.”
Some questions still remain about how exactly the cyberattack led to a power outage, however: Assante writes that the malware itself likely didn't result in the lights going off, but instead facilitated a remote attacker to open “breakers,” disconnecting the affected parts of the network.