Role of Malware in Ukrainian Power Outages Analyzed
Based on the available information, ICS security experts believe the malware involved in the recent attacks targeting Ukraine’s energy sector was likely not directly responsible for the power outages.
Researchers from the SANS ICS team have analyzed the evidence and assessed with high confidence that Ukraine’s power grid has been targeted in a coordinated attack.
Regional Ukrainian power companies reported just before Christmas that they had suffered outages after outsiders remotely tampered with automatic control system. The country’s security service, the SBU, later published a statement accusing Russian special services of planting malware on the networks of energy firms and flooding their technical support phone lines.
Malware Used in Ukraine Power Grid Attacks
Security firm ESET reported that the attacks on Ukraine’s energy sector involved the Russia-linked BlackEnergy malware, which has been known to target SCADA systems in the United States and Europe. In addition to BlackEnergy, several other malicious elements have been found in the targeted networks, including KillDisk, which is a plugin designed to destroy files, and an SSH backdoor dubbed by ESET “Dropbear SSH.”
KillDisk, reportedly used in 2015 to destroy documents and video files related to local elections in Ukraine, is capable of making the operating system unbootable and sabotaging industrial systems by terminating associated processes and corrupting executable files by overwriting their content with random data.
While KillDisk is capable of serious damage, SANS ICS experts believe it’s unlikely to have directly caused the outages. Researchers believe the attackers hacked into production SCADA systems, infected workstations and servers with malware, and damaged SCADA system hosts.
However, the damage caused to SCADA systems was not what caused the power outages. This phase of the attack, likely carried out with the KillDisk malware, was designed to make it more difficult to restore power and analyze the incident.
Affected power companies restored services within 3-6 hours by switching to manual mode. This action was necessary due to the damage caused to the SCADA systems that are normally used to automate the process.
According to researchers, the actual power outage is likely a result of direct interaction by the attackers — they remotely gained access using a piece of malware and used that access to interact with the system (e.g. open breakers) and cause the disruption.
“I have observed the loss of many SCADA systems for periods of time that resulted in no outage or impact to the power system. Running a power system without the benefit of your SCADA system at the distribution-level adds risk, but without something to change the 'state' (for example to force a circuit to de-energize) then the system will continue to serve power,” Michael J. Assante, SANS ICS director, explained in a blog post over the weekend.
“We assess currently that the malware allowed the attackers to gain a foothold at the targeted utilities, open up command and control, and facilitate the planning of an attack by providing access to the network and necessary information. The malware also appears to have been used to wipe files in an attempt to deny the use of the SCADA system for the purposes of restoration to amplify the effects of the attack and possibly to delay restoration,” Assante added.
Robert M. Lee, founder and CEO of Dragos Security, told SecurityWeek that similar attacks could also be possible in the United States and developed European countries, but the impact would likely be less severe. On the other hand, the expert has commended Ukrainian operators for the way they’ve handled the situation and for their ability to switch to manual mode.
Lee has pointed out that while in the Western world such an attack might have less significant damage, if attackers were to cause power outages, it could be more difficult for operators to restore service since they are more reliant on automated systems.
Shortly after news of the attacks broke, security firm iSIGHT Partners reported that a threat group dubbed “Sandworm Team” or a related Russian operator was likely behind the campaign.
iSIGHT’s assessment is based on the BlackEnergy variant apparently used in the attacks, which the company says has become Sandworm Team’s calling card.
ESET has pointed out that while BlackEnergy may have Russian origins and is often associated with Russian threat groups, there is no hard evidence to support this. Furthermore, the source code of the first BlackEnergy malware was leaked, the threat has evolved a great deal over the past years, and there are several versions circulating in the wild, which makes it difficult to determine if the malware is currently operated by a single or multiple groups.
Assante has also cautioned over attributing specific malware components to the Ukraine power grid attacks.
“The malware campaign reported, tied to BlackEnergy and the Sandworm team by others, has solid links to this incident but it cannot be assumed that files such as the excel spreadsheet and other malware samples recovered from other portions of that campaign were at all involved in this incident,” the expert said. “Simply put, there is still evidence that has yet to be uncovered that may refute the minutia of the specific components of the malware portion of the attack.”
Lee told SecurityWeek that more evidence related to the attacks will likely become available in the coming weeks or months.