This article was updated on October 10, 2019.
2016 ended with reports of 2 electric utility organizations, on different sides of the world, citing cyberattacks or cyber infections. The first was the December 17, 2016 incident where a substation in Pivnichna, Ukraine was cut off from the main power grid, causing power outages to residential neighborhoods. Ukrenergo, a Ukrainian energy provider, said “Among the possible causes of failure are considered hacking and equipment malfunction.”
The second was the report that a laptop used by Burlington Electric in Vermont, U.S. was infected by malware attributed by the U.S. administration to a Russian hacking operation called Grizzly Steppe. Although the laptop was not connected to the utility’s grid system and no power system interruption occurred, the infection raised alarms about the cyber security and safety of U.S. critical infrastructure.
Example of ICS Security Breach Lifecycle
In the case of the Vermont utility incident, the level of threat a single infected laptop represents was certainly not underplayed by politicians who made comments like “This is a direct threat to Vermont and we do not take it lightly.”
While the politicians may not understand the full context, a single infected laptop can indeed represent a situation of high concern. That’s because critical infrastructure cyberattacks can be multi-faceted, prolonged campaigns that start in apparently innocuous ways.
While the December 2016 Ukraine cyberattack is still being analyzed, a somewhat similar December 2015 attack on the Ukraine electric system has been thoroughly studied. A well written report summarizing the earlier incident by Booz Allen Hamilton, “When the Lights Went Out: Ukraine Cyber security Threat Briefing”, highlights the 2015 attack’s complexity and duration as well as the high skill level of the attackers.
The report includes an attack walkthrough that identifies 17 steps:
| STEP | NAME | DESCRIPTION | LOCATION |
|---|---|---|---|
| 1 | Reconnaissance and Intelligence Gathering | Threat actors likely begin intelligence gathering on the target organization(s) from public sources. | External Infrastructure |
| 2 | Malware Development and Weaponization | Malware (“BlackEnergy 3”) is developed or acquired. Includes creating weaponized documents used to deliver the malware via email. | External Infrastructure |
| 3 | Deliver Remote Access Trojan (RAT) | Emails with malicious document attachments are sent to people in the organization, a technique known as phishing. | Corporate Network |
| 4 | Install RAT | Employees open the weaponized MS Office email attachments and enable macros. The malware is installed on the systems of 3 Ukrainian electricity distributors. | Corporate Network |
The Corporate Network is Infected via an Employee Computer
| STEP | NAME | DESCRIPTION | LOCATION |
|---|---|---|---|
| 5 | Establish Control and Command Connection | A connection is established between the target network and the attacker’s command and control (CC) server. | Corporate Network |
| 6 | Deliver Malware Plugins | The malware on the target network is updated to include plugin software to collect system access credentials and do reconnaissance activity on the internal network. | Corporate Network |
| 7 | Harvest Credentials | Credentials are collected and network discovery occurs. | Corporate Network |
| 8 | Lateral Movement and Target Identification on Corporate Network | The corporate network is explored to discover potential targets and expand access. | Corporate Network |
| 9 | Lateral Movement and Target Identification on ICS Network | Stolen credentials are used to access the control network and then do reconnaissance work on this network. | ICS Network |
The Industrial Control Network is Infected Via Stolen Credentials
| STEP | NAME | DESCRIPTION | LOCATION |
|---|---|---|---|
| 10 | Develop Malicious Firmware | Software called firmware is developed to impact a component of the ICS network called serial-to-Ethernet converters. | External Infrastructure |
| 11 | Deliver Data Destructive Malware | Destructive software called KillDisk malware is installed on the network share and a policy is set to execute upon system reboot. This will take place when attacks on breakers occur. | Corporate and ICS Network |
| 12 | Schedule UPS Disruption | The Uninterruptible Power Source (UPS), or backup power for telephone communication systems and data center systems is scheduled to be taken offline. | Corporate and ICS Network |
| 13 | Trip Breakers | Native Remote Access and valid credentials are used to open breakers and disrupt the power supply within 3 distribution areas. | ICS Network |
Power is Disrupted to over 225,000 Customers
| STEP | NAME | DESCRIPTION | LOCATION |
|---|---|---|---|
| 14 | Sever Connection to Field Devices | The firmware developed in Step 10 is delivered to the serial-to-Ethernet converters and connections between the control center and the substations are severed. | ICS Network |
| 15 | Telephone Denial of Service Attack | The telephone call center at one of the distributors is overwhelmed with automated calls, preventing customers from reporting outages. | Corporate Network |
| 16 | Disable Critical Systems Via UPS Outage | The previously scheduled outage of the UPS occurs, so that communication to remote sites, as well as the monitoring of power service, is disrupted. | Corporate Network |
| 17 | Destroy Critical System Data | The scheduled KillDisk malware attack is executed on targeted machines across the corporate and ICS networks, making them inoperable and destroying critical data. | Corporate and ICS Network |
Summary of the Attack Steps Taken to Cause the 2015 Ukraine Power Outage
Source: When the Lights Went Out: Ukraine Cyber security Threat Briefing, Booz Allen Hamilton
Defending Against Advanced Threats Requires a Multi-Layered Approach
The 2015 Ukraine power outage demonstrated that corporate computers can be the entry points for ICS cyberattacks. Therefore, while we do not know much about the malware found on the laptop of Burlington Electric, it is rightly a situation to be taken seriously, which thankfully has been done in this case.
Protection from prolonged attacks involving Advanced Persistent Threats, as the 2015 Ukraine attack was, require a multi-layered approach involving things like employee security awareness training, network segmentation, threat intelligence, strong passwords, multifactor authentication for remote access and more.
One type of defense that was called out in the Booz Allen Hamilton report is the use of OT monitoring environments that capture and correlate events. Such tools “take advantage of the predictability in control system traffic by establishing a baseline of ICS network communications and conduct active monitoring for anomalies.” Nozomi Networks’ Guardian is an innovative product that does just that, and is an example of how advanced cyber security technology is an important part of providing safe and reliable power globally.
If you would like to see how Nozomi Networks’ technology would have identified the Ukraine 2015 cyberattack, allowing early detection and mitigation, please contact us.
Related Links
Ukraine and Vermont Cyberattacks
- Boozallen.com: When the Lights Went Out: Ukraine Cyber security Threat Briefing
- Informationsecuritybuzz.com: Attack On Ukranian Power Company Causes Blackouts In Kiev
- Ibtimes.co.uk: Ukraine investigates possible cyberattack on power grid in Kiev
- WSJ.com: Cyberattacks Raise Alarm for U.S. Power Grid
- Washingtonpost.com: Russian operation hacked a Vermont utility, showing risk to U.S. electrical grid security, officials say
Nozomi Networks’ Real-time Cyber Security and Visibility Solution
- Solution Brief: Nozomi Networks
- Data Sheet: Guardian
- Case Study: Enel Power Company
ICS Security Specialist, Nozomi Networks
Heather MacKenzie has worked in the field of industrial cyber security since 2008, authoring over 150 articles and multiple white papers on the subject. She is passionate about helping IT/OT teams responsible for ICS networks understand their cyber risks, and how to use operational visibility and cyber security tools to build resiliency. As ICS Security Specialist at Nozomi Networks, Heather is actively working to protect the world’s critical infrastructure and manufacturing from cyber threats.