‘In the Ukraine there was a huge wave of attacks going on. None of the attacks were targeted at maximum damage. Interaction, yes. Sabotage, yes. But no maximum damage.’
By Gregory Hale
Ukraine did suffer another cyberattack on its electric grid that shut down power in Kiev for an hour in December. However, the attack was much deeper than just the grid. It was a systemic attack hitting key governmental and infrastructure points across the country.
The attack ended up being very similar to the attack that struck the Ukrainian power grid in December 2015.
But unlike the 2015 cyberattack that cut out 27 power distribution operation centers across the country and affected three utilities in western Ukraine, the December 2016 attack hit the electrical transmission-level substation Pivnichna, a remote power transmission facility and shut down the remote terminal units (RTUs) that control circuit breakers, causing a power outage for about an hour.
“In the Ukraine there was a huge wave of attacks going on,” said Marina Krotofil, lead security researcher at the Honeywell Industrial Cyber Security Lab and an investigator on the utility attack during an interview with ISSSource. “None of the attacks were targeted at maximum damage. Interaction, yes. Sabotage, yes. But no maximum damage. Attackers shut down the RTUs which controlled circuit breakers. So, basically the RTUs were sent offline, there was a command that said go offline and shut down. If the RTUs are not controlling the circuit breakers they would fail open and this is how the substation disconnected from the power grid. (The attackers) could have done so much more, but they did not. Very quickly the RTUs were put online and everything was reconstructed and within an hour everything was working.”
Krotofil said they have theories on who did this and why they did it, “but we cannot talk about it right now.”
“As you can see from the entire Ukraine, the power utility was just part of the picture. The entire Ukraine was attacked. It seems within this specific campaign in December there was no intention to cause maximum damage anywhere. It doesn’t matter what was attacked, railway, or power utility or governmental organization there was no major damage,” she said. “I am not claiming the attackers won’t do more damage in the future.”
By doing a comparison to last year, they were able to make out a relationship between the two attacks.
“It was unique in the sense the style was very recognizable from other attacks from last year. You go to the host, you look for the same looks and you find them. You can clearly recognize the style,” Krotofil said.
Then she added an ominous note.
“The attack group clearly became more sophisticated and more organized,” Krotofil said. “The level of sophistication and preparedness and organization was significantly higher from last year.”
Sometimes it is easy to attack areas not considered secure because of a lack of technology on site, however this was not the case at the Pivnichna substation.
“This was one of the most highly automated substations in Ukraine,” Krotofil said. “It was not clear if it was selected on purpose or not because there were a lot of YouTube videos on the substation. There was a lot of publicity because this was one of the substations that was just upgraded with all of the latest automation technology. While it ran some old systems, it was highly automated and there was a lot of public information on it.”
The idea it had more technology on site than other substations was a benefit because investigators were able to go in and retrieve logs to start the forensics process.
“Some logs were cleaned up and many were collected, but the problem was there not a large team conducting the investigation so collecting the huge amount of logs took time which is why we were not confirming (it was an attack) until a very late because UkrEnergo, the national power company that oversees the Pivnichna substation and others, really wanted to make sure all logs were analyzed so there was no stone left unturned because if there was any kind of claim it would be so highly criticized or analyzed by the entire world and this what they wanted to avoid.”
Was Attack Preventable?
With an attack on an electric utility such as the one in Kiev, Ukraine, the question begs to be asked: What could have been done to prevent the incident from happening?
“They could not have avoided this attack because it is very targeted,” said Marina Krotofil, Lead Security Researcher Honeywell Industrial Cyber Security Lab. The attacker wanted to get in.”
Any dedicated attacker that is well financed and has the time and energy to focus on a specific target will most likely succeed. But it doesn’t have to be that way.
What is at issue is manufacturers are just at the beginning stages of implementing security programs at their facility.
“Now the entire world is going from old infrastructure to updating switches, to perimeter security which are the first steps to be done to start security. Many companies are in the opening stages, but there are industries like oil and gas that are more advanced. It is a very slow process,” Krotofil said.
In this attack, the intruder put all their efforts in getting through the perimeter.
“Once the intruder is in the perimeter, they will try to blend in as soon as possible,” she said. “They will obtain some legitimate credentials and they will start acting using the legitimate credentials. Once they blend in, no network monitoring will show you because you have legitimate credentials so then you have to start doing behavioral monitoring.
Specifically, in this case, the intruder was determined to get in, no organization could prevent this type of attack. Only a few very prepared organizations could prevent this type of attack.”
With the 2015 attack, from the first minute of the attack it was obvious it was a cyber incident “because the first steps of the attack were executed through the HMI and operators saw the mouse moving in front of them and they had no control of the mouse pointer,” Krotofil said. “This year, there was no such immediate evidence it was a cyber incident because the substation just went offline.
What UkrEnergo immediately announced on Facebook was it could be a technical failure or it could be a cyber incident. We just don’t know. In January, we officially confirmed from the State it was an attack.”
While Krotofil did not name who did the attack, she did say attackers had some external financial aid because it was a very prolonged attacked with experienced people.
“It was obviously part of an attack going on in Ukraine because almost every governmental organization in Ukraine was hacked. All online resources, web pages and sites were attacked. It was a huge campaign in Ukraine; it is still ongoing. My collaborators have gotten engaged in so many investigations in multiple organizations they can start seeing connections and getting deeper into the attribution. Which country is doing it we don’t know, but it has been multiple APTs (advanced persistent threats) for a very prolonged time and it was very professionally done and it was not for financial gain so somebody had to sponsor this campaign.”
On top of that, there was a concerted effort with some very smart professional hackers taking part in the event.
“It was 15 governmental organizations. It was the port authority, treasury, minister of finance, minister of defense, railway, critical infrastructure of government. Even as the security services of Ukraine has stated, power and railway they are not regulated from a security standpoint, they are responsible for security themselves. Any governmental online resources, any servers, any websites, we have a ministry for that, they are all tested against attacks and they are verified. Any architectures and solutions are tested by the security professionals. So, anyone that attacks those areas needs to have time and resources to find a way around it.
The attack was well crafted.
“For a majority of the organizations, it was so well done including mimicking official web site pages, there were some stolen documents with embedded macros with a signature stamp on them,” Krotofil said. “This did not happen at the utility, but it did happen in other organizations.”
The attack took quite a bit of effort to get inside the infrastructure, to blend into the infrastructure and to obtain legitimate credentials. It was very well planned and studied. The attacker took effort and time to study all the details of the infrastructure.
“It is important to understand, it was not a malware attack where it was one piece of code that went in and did all the work. It was several groups working together. Most likely there was a mastermind behind the campaign.
“First you purchase capabilities. For example, a container which delivers the macros into the network with malicious code that will later call into the command and control server. That was Hancitor. There is a cybercriminal group that maintains Hancitor which is a container that avoids detection and reliably delivers malicious payload in to the victim organization and calls back to command and control center. You can purchase the capability from a cybercriminal group and tap into their expertise. Then once that is done, a completely different set of people will do manual work to perform reconnaissance on the network like scan the network, scan for vulnerabilities, and find a vulnerable host. When you find the vulnerable host, you will exploit it and ship another set of tools. So, it is not just one piece of malware, it is a campaign. There are multiple tools used in every step in the timeline of the campaign.
“Last year Killdisk was used, but it was used in the final step of the campaign that was shipped over later. There were a lot of different actions, many people involved using different tools, different malicious codes. As they progressed, sometimes they stumbled and they had to create malicious malware specific to that organization, very customized. The attack on the power grid this year was no different than the one last year. My collaborators analyzed the timeline from last year and they have been showing examples from last year on how things happened like how much malicious code was customized. The attackers learned about the victim organization and they wrote malicious code for the victim organization.
“The malware in the container that delivered the macros is insane; it is absolutely insane,” Krotofil said. “It is a group of people who constantly do nothing but work on improving the capabilities of the container and the detectabilities. If you look at samples two weeks apart, they have 500 builds – 500 — that shows how many hands worked on the malware to improve its undetectability. The criminal groups are improving their undetectability.”
Krotofil said she learned quite a bit from the attack, but it wasn’t just the technology and the attack methods, it was also how people and governments reacted.
“It is becoming the standard practice to turn off the lights. What is shocking when the lights went down last year and somebody deliberately shut them down, no government in the world stood up said, you know what guys, this was an attack on civilians. This is a military attack. Whenever the consequence could be physical casualties, this is not OK. This is an act of war. No government stood up and said this is an act of war. So, when the red line was crossed, everyone was OK with that. So, they just shut down the lights again. What if it caused a chain effect if the electricity was out longer than the back-up power at a medical facility? That could cause casualties. This is not OK. This seems to be the new normal.”