Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cyberwarfare

Russian Hackers Behind Ukraine Power Outage May Have Sought More Damage

The Russia-linked hackers who triggered a power outage in Ukraine back in 2016 may have hoped to cause much more damage, according to a report published recently by U.S.-based industrial cybersecurity firm Dragos.

The Russia-linked hackers who triggered a power outage in Ukraine back in 2016 may have hoped to cause much more damage, according to a report published recently by U.S.-based industrial cybersecurity firm Dragos.

The threat group, which Dragos tracks as Electrum, used a piece of malware named Crashoverride and Industroyer to target industrial control systems (ICS) at a power station in Ukraine. The cyberattack resulted in power outages in the Kiev region in mid-December 2016, but power was restored after just over an hour, making the attack less severe compared to the one launched against Ukraine’s grid one year earlier, when power outages lasted for up to 6 hours.

Dragos researcher Joe Slowik has reassessed the 2016 attack involving Crashoverride and he believes that the attackers were actually hoping to cause more widespread outages and trigger a destructive event.

Russian hackers may have aimed for physical damage in Ukraine power grid attack

It has been known that the malware included a module designed to allow attackers to control circuit breakers and disrupt power by manipulating remote terminal units (RTUs), and a wiper module whose goal was to make recovery more difficult by deleting configuration and other files. During their initial analysis, researchers also uncovered a tool designed to exploit a known vulnerability in Siemens SIPROTEC protection relays (CVE-2015-5374) to cause the devices to enter a denial-of-service (DoS) condition.

Slowik believes that the goal of this tool was to cause relays to stop providing overcurrent protection once power was restored. This would expose transmission equipment to a power surge, which could cause physical damage, resulting in an even longer outage that would require fixing or replacing devices.

However, the attackers failed to disable the protective relays due to some errors in the DoS tool code. Moreover, the hackers attempted to disrupt hundreds of control systems at the targeted organization, but failed to compromise as many as they intended. This resulted in the 2016 attack actually causing less disruption than the 2015 incident.

Learn More About Threats to Industrial Systems at SecurityWeek’s 2019 ICS Cyber Security Conference

Slowik has pointed out that even if the DoS attacks on the SIPROTEC relays would have been successful, it’s unclear if Electrum would have been able to achieve its presumed goal of causing physical damage. Industrial environments can have various other protection systems and mechanisms in place that may have mitigated the attack.

Advertisement. Scroll to continue reading.

“If CRASHOVERRIDE worked as ELECTRUM most likely intended, the potential outage would have been more widespread than 2015 given the number of transmission devices targeted. Additionally, the duration of the outage may have stretched to months or longer if disabling protection prior to system restoration yielded physical damage to transmission operations,” Dragos said in its report. “While the actual efficacy of CRASHOVERRIDE – even if it had worked as intended – remains unclear given a myriad of other controls and safeguards in electric transmission, the sequence of steps executed clearly demonstrates a more complex and concerning attack than past electric service disruptions.”

Related: Exaramel Malware Reinforces Link Between Industroyer and NotPetya

Related: Group That Caused Power Outage Stops Focusing Exclusively on Ukraine

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

CISO Strategy

SecurityWeek spoke with more than 300 cybersecurity experts to see what is bubbling beneath the surface, and examine how those evolving threats will present...

CISO Conversations

Joanna Burkey, CISO at HP, and Kevin Cross, CISO at Dell, discuss how the role of a CISO is different for a multinational corporation...

Cyberwarfare

WASHINGTON - Cyberattacks are the most serious threat facing the United States, even more so than terrorism, according to American defense experts. Almost half...

CISO Conversations

In this issue of CISO Conversations we talk to two CISOs about solving the CISO/CIO conflict by combining the roles under one person.