Throwback Attack: BlackEnergy attacks the Ukrainian power grid

A lightbulb
Courtesy: Brett Sayles

People have come to rely on electricity, and once someone has it, it’s hard to let it go. As winter rapidly approaches, it is easy to understand why. Without electricity, there are no appliances, lights or heat, which could become dangerous quickly with plummeting temperatures. On Dec. 23, 2015, the people of the Ivano-Frankivsk area of Western Ukraine faced this exact situation after an unprecedented BlackEnergy cyberattack on the region’s power grid.

The massive, nation-state attack first struck the Prykarpattyaoblenergo control center, which, in turn, took out 30 substations. Two other distribution centers, Chernivtsioblenergo and Kyivoblenergo, were also hit at the same time but on a smaller scale. The attack left 230,000 residents without power, along with two of the three distribution centers that were hacked because the attack took out the back-up generators at the center, as well. The electricity outage lasted up to six hours for residents, but the computers on-site that were infected couldn’t be salvaged.

BlackEnergy malware

Around 2014, a hacking group that used BlackEnergy malware started sending out supervisory control and data acquisition (SCADA)-related plugins to companies in the industrial control system (ICS) and energy markets. The BlackEnergy malware that was sent out during this time was a trojan created to launch distributed denial-of-service (DDoS) attacks, cyber espionage and information destruction attacks via a Word document or PowerPoint attachment. It arrived via an email that, in some cases, looked like it was sent from the Ukrainian parliament, according to TrendMicro.

This bait led victims into clicking the seemingly legitimate file. Once the attachment was opened, the user was instructed to run the macro in the document, which delivered the KillDisk feature that could render systems unusable. This allowed the hackers to find credentials, elevate privileges and execute lateral movement across the network, working their way to the centers’ SCADA systems. Once there, the malware was uploaded to serial-to-ethernet devices, which allowed the attackers to use remote administration tools on the operator workstations to access the ICS.

Ukraine attack timeline

At 3:30 p.m., operators were nearing the end of their day; however, the attack was already in progress. In fact, it had been in the works for six months, starting out as phishing emails that contained the BlackEnergy malware. This method is noteworthy because in many cyberattacks, hackers use a coding error or vulnerability in software. In this case, however, the hacking group used an intentional feature in the Microsoft Word program, which was the perfect way to disguise the hack to play the long game.

This attack clearly took time and extensive planning. According to a Wired article, the hackers were skilled and stealthy strategists. They had to first study the networks and gain access to the necessary information and credentials before they were able to launch a synchronized assault.

In the same Wired article, Robert M. Lee, who assisted in the investigation and is the co-founder of Dragos Security, was quoted as saying, “In terms of sophistication, most people always [focus on the] malware [that’s used in an attack]. To me, what makes sophistication is logistics and planning and operations and .. .what’s going on during the length of it. And this was highly sophisticated.”

Once the malware had infected the ICS, it was only a matter of time before the threat actors began their endgame. They were able to remotely switch off substations at the energy companies.

There were multiple parts to this masterful attack. First, the threat actors were able to disable and ruin information technology (IT) infrastructure components such as uninterruptible power supplies, modems, RTUs and commutators. With the KillDisk aspect of the attack, they could delete essential system files stored on servers and workstations, which caused infected computers to crash and become unsalvageable. Then, the denial-of-service attack on the call center prevented customers from getting the latest news on the blackout.

Russian-Ukrainian conflict

This attack took place during an ongoing conflict between Russia and the Ukraine, which began when Russia annexed Crimea in 2014. The Crimean authorities then started to nationalize Ukrainian-owned energy companies, which angered Ukrainian owners. Pro-Ukrainian activists retaliated by physically attacking substations feeding power to Crimea, causing 2 million Crimean residents and a Russian naval base to lose power in the region Russia had annexed. The Ukrainian cyberattack, which happened soon after, was attributed to Sandworm, a Russian hacking group the Ukraine and allies had been dealing with since 2007.

However, it wasn’t until February 2016 that U.S. Deputy Energy Secretary Elizabeth Sherwood-Randall pinned the attack on Russia, according to a University of Washington article. This led investigations toward Sandworm, rather than toward a different Russian hacking group, Advanced Persistent Threat 28 (APT28) or “Fancy Bear,” the Ukraine had originally suspected of the crime. The presence of BlackEnergy3 helped confirm the Sandworm suspicions.

A year later, in February 2017, Ukrainian officials formally attributed the attack to Russian security services and Sandworm. While the Sandworm team seems to be linked to the Russian government, there is no hard evidence to prove their involvement. Russia has had a long, underlying interest in the Ukraine, though. The goal was to stop the Ukraine from turning to Europe and make them dependent on Russia’s energy sources rather than using their own. Russia certainly had the motive and resources, but their ambiguous relationships with cyber warfare groups and stated policies give them plausible deniability.

The effect of BlackEnergy

The attack on the Ukraine’s power grid not only showed how much damage can be done to critical infrastructure, but it also weakened the trust Ukrainian customers had in their power companies and government. And the Ukraine was not the only country to fall victim to BlackEnergy. Variants of BlackEnergy have also infected systems in Europe and the U.S. A Reuters article quoted Eric Cornelius, managing director of the cybersecurity firm Cylance Inc. and the former Department of Homeland Security (DHS) official responsible for securing critical infrastructure, as saying, “It’s not a major stretch to conclude the difference in the outcomes of the attacks in the Ukraine vs. those in the U.S. were an issue of intent not capability.”

This attack on the Ukraine may have been the first known successful strike on a power grid, but the threat on power grids is far from over. When taking inventory of the critical infrastructure of the U.S., it is easy to point out vulnerabilities. These have been discussed for years, but they have become an essential topic of discussion this year, after attacks against Colonial Pipeline and JBS Foods.

According to an ITProPortal article, the Council on Foreign Relations stated, “The U.S. power system is as vulnerable — if not more vulnerable — to a cyberattack as systems in other parts of the world. As a matter of fact, the U.S. power grid may be much more vulnerable than many other countries’ power grids and is likely to become even more vulnerable because of its increased dependence on IT systems.”

To combat these vulnerabilities, the government has started to implement various initiatives such as The Executive Order on Improving the Nation’s Cybersecurity, The 100-day electric plan and the National Security Memorandum on critical infrastructure cybersecurity, to name a few. These efforts call both the private and public sectors to action, imploring them to work together to create a safer and more secure infrastructure to protect against these kinds of cyberattacks.




Keep your finger on the pulse of top industry news