An investigation into a power outage that left customers in Ukraine without electricity for an hour last month has concluded that the cause was indeed a cyberattack, sources tell Motherboard. This would be the second such known hack of a Ukrainian power facility following a massive December 2015 power outage affecting about 230,000 people, which was later blamed on the Russian government.
The more recent attack occurred at a transmission facility, as opposed to the 2015 attack that affected a distribution facility, and was not as far-reaching (although it could have been much worse—as disruptions to a transmission facility could impact a wider area than distribution facilities). But taken together, the implications of both attacks and a series of other breaches around Ukraine suggest that someone, or various individuals, may be using the country as a testbed for refining attacks on critical infrastructure that could be used across the world.
The attack last month, which occurred almost exactly one year after the previous outage, struck the Pivnichna substation outside the capital city Kiev, and cut power a few minutes before midnight local time December 17, leaving customers in part of Kiev and a surrounding area in the dark on a Saturday night. The outage lasted only an hour, and power was restored a little after 1 am.
Someone, or various individuals, may be using the country as a testbed for refining attacks on critical infrastructure, attacks that could be used across the world.
Ukrainian security researchers involved in the investigation say they believe the attack was conducted by the same hackers who cut power in Ukraine a year ago. They also believe the attackers may be responsible for a series of other attacks that have struck other high-value Ukrainian targets in the commercial and government sectors, including the national railway system and the Ministry of Finance, which were hit around the same time.
Ukraine's intelligence service attributed the 2015 attack to Russia, without providing any evidence to support the claim. No one has publicly attributed this latest attack to Russia or anyone else.
UkrEnergo, the national power company that oversees the Pivnichna substation and others, told customers after this last outage that it was unclear if it was the result of hackers or equipment failure, but the researchers say there is now no question it was the result of an intrusion.
The attackers appear to be testing out techniques, says Oleksii Yasynskyi, head of research for Information Systems Security Partners in Ukraine, who worked on the investigation for UkrEnergo. Their ultimate goal is sabotage he says.
Yasynskyi will present some of the investigation findings today at the S4 conference in Florida, along with Marina Krotofil, a Ukrainian researcher for Honeywell Industrial Cyber Security Lab who assisted with part of the investigation. But the full investigation may not be complete until later this year.
"The amount of logs is humongous. It will take months to investigate," Krotofil told Motherboard. "We still don't know if the same tools are being used because we have still to compare. But [the attackers are using] the same strategy."
In the 2015 attack, the hackers conducted a coordinated attack against three power distribution companies, which left customers without electricity for three to six hours. The hackers overwrote the firmware on the remote-terminal units, or RTUs, that controlled substation breakers. This essentially “bricked” the devices and prevented engineers from restoring power remotely. Technicians had to travel to the substations to physically close breakers and restore power. The hackers also used a piece of malware called KillDisk, which overwrote critical system files on operator machines, causing them to crash and become inoperable.
This time, Krotofil says, the hackers simply shut down the RTUs, making it easier to restore power once the RTUs were re-engaged, and didn’t destroy operator machines.
"It was more like a demonstration of capabilities."
"The attack [was] not meant to have any lasting dramatic consequences," Krotofil told Motherboard. "They could do many more things, but obviously they didn't have this as an intent. It was more like a demonstration of capabilities."
Krotofil says the latest attack began as part of a massive phishing campaign that occurred last July and targeted many government organizations. Wherever they were successful in getting in, the attackers sat on systems silently for months conducting reconnaissance before making their presence known in a series of events that occurred in December.
Some of the other attacks targeted the Ministry of Finance, the State Treasury and the Pension Fund and became apparent only on December 6 when DDoS attacks struck the Ministry of Finance and State Treasury Service web sites. The sites were blocked for two days, according to local news reports, which prevented the agencies from making unspecified payments. The reports also said that attackers breached the networks and damaged equipment and destroyed databases that are critical to the Treasury and Pension Fund. As a result, payments in the amount of hundreds of millions of Ukrainian Hryvania were delayed or prevented.
"[E]ven after they started their standard process, even week later, they were still recovering killed servers," said a person with knowledge of the investigation who is not connected to Krotofil and Yasynskyi and who asked not to be identified because he's not authorized to speak about the event.
He noted that the phishing attack that targeted the Ministry of Finance came from a trusted sender who acknowledges sending the email, but didn't know it carried a malicious attachment. The spearphishing campaign was so well done, the source told Motherboard, that recipients were bound to open it. "It's clear that everyone would 100% open an attachment with no doubts, because it was so relevant and crafted so carefully."
On December 14, it became apparent that the State Administration of Railway Transport, which manages Ukraine's national railway system, had also been hacked. The latter was also a two-pronged attack that involved a DDoS attack against the online ticket-selling site for passengers, and an intrusion into the automated system for scheduling and dispatching freight cars.
Yasynskyi says the attackers in each instance have followed familiar patterns. They first gain entry and establish a backdoor foothold to maintain ongoing access and then steal system and administrator account credentials, which allow them to move through the network unobtrusively. They sit on the network conducting reconnaissance for months, analyzing system and workstation logs, scanning network traffic and studying the daily behavior of administrators so they can mimic their activity, using the same administrative tools, to go unnoticed.
If the attackers aren't caught during the initial stages of infection, they can remain undetected for months because their behavior appears to be so normal, Krotofil says.
One way in which these latest attacks differ from the one in 2015, however, is the attackers’ strategy for infecting systems. In the 2015 attack, the hackers used simple macros embedded in email attachments to install malicious code that gives them remote access to infected computers. But this year, the macros they used were more sophisticated and refined, Krotofil and Yasynskyi say. About 30 percent of the macro code is dedicated to making analysis of the code difficult, and 69 percent is focused on features designed to obfuscate the maliciousness of the code. Only 1 percent of the macro performs the actual function of delivering the remote access code to a victim's system. The hackers, Krotofil and Yasynskyi say, are getting better at camouflaging their tracks.
The researchers say the attacks show that Ukraine "has turned into a training playground for research and development of novel attack techniques" — attacks that will likely be used elsewhere once the hackers refine them.
"Ukraine uses equipment and security protections of the same vendors as everybody else around the world," says Krotofil. "If the attackers learn how to go around those tools and appliances in Ukrainian infrastructures, they can then directly go to the West."
Get six of our favorite Motherboard stories every day by signing up for our newsletter.