Sounds like one of Ukraine’s power company systems were not fully on a
closed network (intranet). These hacks are prevented if they were not accessible
over the Internet. - FUA
A "synchronized and coordinated" cyberattack in December left parts of
western Ukraine without power, US officials have confirmed.
The cyberattack, which left more than 225,000 customers in the dark two days
before Christmas last year, was caused by remote intrusions at three regional
electric power distribution companies, according
to a report
by Homeland Security.
Hackers thought to be associated with a Russian hacking group are said to
have used malware to attack and destroy data on hard drives, and then flooding
phone lines with a denial-of-service attack.
Ukraine's energy ministry also
suggested
earlier
this month that the attack was linked to hackers based in Russia, falling
short of outright accusing the Kremlin of orchestrating the attack.
Relations between the two counties stand fraught
after
Russia annexed the Crimean peninsula in March 2014 amid an escalation of
violence in the country.
Homeland Security did not speculate on who was behind the attack, but noted
that its assessment was based on interviews with six organizations impacted by
the blackout pending a further technical analysis.
According to
the report:
"The cyber-attack was reportedly synchronized and coordinated,
probably following extensive reconnaissance of the victim networks. According to
company personnel, the cyber-attacks at each company occurred within 30 minutes
of each other and impacted multiple central and regional facilities. During the
cyber-attacks, malicious remote operation of the breakers was conducted by
multiple external humans using either existing remote administration tools at
the operating system level or remote industrial control system (ICS) client
software via virtual private network (VPN) connections. The companies believe
that the actors acquired legitimate credentials prior to the cyber-attack to
facilitate remote access.
All three companies indicated that the actors wiped some systems by
executing the KillDisk malware at the conclusion of the cyber-attack. The
KillDisk malware erases selected files on target systems and corrupts the master
boot record, rendering systems inoperable. It was further reported that in at
least one instance, Windows-based human-machine interfaces (HMIs) embedded in
remote terminal units were also overwritten with KillDisk. The actors also
rendered Serial-to-Ethernet devices at substations inoperable by corrupting
their firmware. In addition, the actors reportedly scheduled disconnects for
server Uninterruptable Power Supplies (UPS) via the UPS remote management
interface. The team assesses that these actions were done in an attempt to
interfere with expected restoration efforts."
The report noted that BlackEnergy malware was found on the networks of each
of the three companies, which were delivered through specifically-targeted
spearphishing emails containing malicious Microsoft Office attachments.
The attackers may have used that initial attack to gain user credentials to
the impacted systems, but the report warned the information was still under
review.
An
earlier
study showed that 82 percent of vulnerabilities in Microsoft Office can be
mitigated by removing administrative access to the computer.
